2 Copyright (C) 2002-2012 OpenVPN Technologies, Inc. <sales@openvpn.net>
4 2013.05.31 -- Version 2.3.2
6 Only print script warnings when a script is used. Remove stray mention of script-security system.
7 Move settings of user script into set_user_script function
8 Move checking of script file access into set_user_script
11 Provide more accurate warning message
14 Fix NULL-pointer crash in route_list_add_vpn_gateway().
15 Fix problem with UDP tunneling due to mishandled pktinfo structures.
18 Always push basic set of peer info values to server.
21 make 'explicit-exit-notify' pullable again
24 Fix proto tcp6 for server & non-P2MP modes
25 Fix Windows script execution when called from script hooks
28 Fixed tls-cipher translation bug in openssl-build
29 Fixed usage of stale define USE_SSL to ENABLE_SSL
32 Fix segfault when enabling pf plug-ins
36 2013.03.29 -- Version 2.3.1
38 Remove dead code path and putenv functionality
39 Remove unused function xor
40 Move static prototype definition from header into c file
41 Remove unused function no_tap_ifconfig
44 fix build with automake 1.13(.1)
46 Christian Niessner (1):
47 Fix corner case in NTLM authentication (trac #172)
50 Update README.IPv6 to match what is in 2.3.0
51 Repair "tcp server queue overflow" brokenness, more <stdbool.h> fallout.
52 Permit pool size of /64.../112 for ifconfig-ipv6-pool
53 Add MIN() compatibility macro
54 Fix directly connected routes for "topology subnet" on Solaris.
57 close more file descriptors on exec
58 Ignore UTF-8 byte order mark
59 reintroduce --no-name-remapping option
60 make --tls-remote compatible with pre 2.3 configs
61 add new option for X.509 name verification
64 man page patch for missing options
67 Fix parameter listing in non-debug builds at verb 4
68 (updated) [PATCH] Warn when using verb levels >=7 without debug
71 Enable TCP_NODELAY configuration on FreeBSD.
74 Removed ChangeLog.IPv6
75 Added cross-compilation information INSTALL-win32.txt
77 Cleaned up and updated INSTALL
81 Improve PolarSSL key_state_read_{cipher, plain}text messages
82 Improve verify_callback messages
83 Config compatibility patch. Added translate_cipher_name.
84 Switch to IANA names for TLS ciphers.
85 Fixed autoconf script to properly detect missing pkcs11 with polarssl.
86 Use constant time memcmp when comparing HMACs in openvpn_decrypt.
89 2013.01.07 -- Version 2.3.0
91 Fix parameter type for IP_TOS setsockopt on non-Linux systems.
92 Fix client crash on double PUSH_REPLY.
94 2012.12.17 -- Version 2.3_rc2
96 Fix --show-pkcs11-ids (Bug #239)
99 Error message if max-routes used incorrectly
100 Properly require --key even if defined(MANAGMENT_EXTERNAL_KEY)
101 Remove dnsflags_to_socktype, it is not used anywhere
102 Fix the proto is used inconsistently warning
104 David Sommerseth (3):
105 Fix double-free issue in pf_destroy_context()
106 The get_default_gateway() function uses warn() instead of msg()
107 Avoid recursion in virtual_output_callback_func()
110 Implement --mssfix handling for IPv6 packets.
111 Fix option inconsistency warnings about "proto" and "tun-ipv6"
113 Joachim Schipper (2):
114 doc/management-notes.txt: fix typo
115 Fix typo in ./configure message
117 2012.10.31 -- Version 2.3_rc1
119 Fixed a bug where PolarSSL gave an error when using an inline file tag.
122 Document man agent-external-key
123 Options parsing demands unnecessary configuration if PKCS11 is used
125 David Sommerseth (2):
126 Make git ignore some more files
127 Remove the support for using system() when executing external programs or scripts
130 Fix display of plugin hook types
131 Support UTF-8 --client-config-dir
134 Fix v3 plugins to support returning values back to OpenVPN.
136 2012.09.12 -- Version 2.3_beta1
138 Fixes error: --key fails with EXTERNAL_PRIVATE_KEY: No such file or directory if --management-external-key is used
139 Merge almost identical create_socket_tcp and create_socket_tcp6
140 Document the inlining of files in openvpn and document key-direction
141 Merge getaddr_multi and getaddr6 into one function
142 Document --management-client and --management-signal a bit better
143 Document that keep alive will double the second value in server mode and give a short explanation why the value is chosen.
144 Add checks for external-key-managements
146 David Sommerseth (1):
147 Fix reconnect issues when --push and UDP is used on the server
150 Reduce --version string detail about IPv6 to just "[IPv6]".
151 Put actual OpenVPN command line on top of corresponding log file.
152 Keep pre-existing tun/tap devices around on *BSD
153 make "ipv6 ifconfig" on linux compatible with busybox ifconfig
156 fix regression with --http-proxy[-*] options
157 add x_msg_va() log function
158 add API for plug-ins to write to openvpn log
159 remove stale _openssl_get_subject() prototype
160 remove unused flag SSLF_NO_NAME_REMAPPING
161 Add --compat-names option
163 2012.07.20 -- Version 2.3_alpha3
165 Fix compiling with --disable-management
168 Repair "tap server" mode brokenness caused by <stdbool.h> fallout
171 make non-blocking connect work on Windows
172 don't treat socket related errors special anymore
173 remove unused show_connection_list debug function
174 add option --management-query-proxy
176 2012.06.29 -- Version 2.3_alpha2
177 Adriaan de Jong (11):
178 Fixed off-by-one in serial length calculation
179 Migrated x509_get_subject to use of the garbage collector
180 Migrated x509_get_serial to use the garbage collector
181 Migrated x509_get_sha1_hash to use the garbage collector
182 Ensure sys/un.h autoconf detection includes sys/socket.h
183 Added support for new PolarSSL 1.1 RNG
184 Added a configuration option to enable prediction resistance in the PolarSSL random number generator.
185 Use POLARSSL_CFLAGS instead of POLARSSL_CRYPTO_CFLAGS in configure.ac
186 Removed support for PolarSSL < 1.1
187 Updated README.polarssl with build system changes.
188 Removed stray "Fox-IT hardening" string.
191 build: version should not contain '-'
192 package: rpm: strip should be handled by package management
193 cleanup: options.c: remove redundant include
194 cleanup: remove C++ warnings
195 cleanup: win32.c: wrong printf format
196 cleanup: remove redundant ';'
197 cleanup: crypto_openssl.c: remove support for pre-openssl-0.9.6
198 cleanup: tun.c: fix incorrect option in message (ip-win32)
199 cleanup: memcmp.c: remove unused source
200 fixup: init.c: add missing conditional for ENABLE_CLIENT_CR
201 build: correct place to alter WINVER is at build system
203 build: handle printf style format in mingw
204 build: rename plugin directory to plugins
205 build: plugins: properly use CC, CFLAGS and LDFLAGS
206 build: we need the sample.ovpn in future
210 cleanup: rename tap-windows function from win32 to win
211 build: remove windows specific build system
212 build: split acinclude.m4 into m4/*
213 build: m4/ax_varargs.m4: cleanup
214 build: m4/ax_emptyarray.m4: cleanup
215 build: m4/ax_socklen_t.m4: cleanup
216 build: autotools: first pass of trivial autotools changes
217 build: autoconf: remove OPENVPN_ADD_LIBS useless macro
218 build: remove awk and non-standard autoconf output processing
219 build: standard directory layout
220 build: add libtool + windows resources for executables
221 build: autoconf: commands as environment
223 build: properly detect and use socket libs
224 build: autoconf: minor cleanups
225 build: proper selinux detection and usage
226 build: distribute pkg.m4
227 build: proper pkcs11-helper detection and usage
228 build: properly process lzo-stub
229 build: proper lzo detection and usage
230 build: proper crypto detection and usage
231 build: autoconf: update defaults for options
232 build: win-msvc: msbuild format
233 build: move out config.h include from syshead
234 build: split out compat
235 build: move gettimeofday() emulation to compat
236 build: move daemon() emulation into compat
237 build: move inet_ntop(), inet_pton() emulation into compat
238 cleanup: move console related function into its own module
239 build: move wrappers into platform module
240 build: windows: install version.sh to allow installer read version
241 build: distribute samples in windows
242 build: use tap-windows.h as external dependency
243 build: ax_varargs.m4: fixups
244 build: autoconf: misc sockets fixups
245 build: enable lzo by default
246 build: windows: set vendor to openvpn project + cleanups
247 build: assume dlfcn is available on all supported platforms
248 build: openbsd: detect netinet/ip.h correctly
249 build: tap: search for tap header
250 build: msvc: upgrade to Visual Studio 2010 + fixups
251 Enable pedantic in windows compilation
252 cleanup: flags should not be bool
253 cleanup: avoid using ~0 - generic
254 cleanup: avoid using ~0 - ipv6
255 cleanup: avoid using ~0 - netmask
256 cleanup: avoid using ~0 - windows
258 build: fix some statement left from conversion
259 build: properly detect netinet/ip.h structs
260 build: properly detect TUNSETPERSIST
261 cleanup: plugin: support C++ plugin
262 cleanup: remove C++ comments
263 cleanup: add .gitattributes to control eol style explicitly
264 crash: packet_id_debug_print: sl may be null
265 build: use stdbool.h if available
266 build: fix typo in --enable-save-password
267 build: windows: convert resources to UTF-8
268 build: check minimum polarssl version
269 cleanup: update .gitignore
270 cleanup: spec: make space/tab consistent
271 build: spec: we support openssl >= 0.9.7
272 build: insall README* document using build system
273 build: detect sys/wait.h required for *bsd
274 build: add git revision to --version output if build from git repository
275 build: cleanup: yet another forgotten brackets
276 build: update INSTALL to recent changes
277 build: support platforms that does not need explicit tun headers
278 build: do not support <polarssl-1.1.0
279 build: add --with-special-build to provide special build string
280 cleanup: pkcs11.c: resolve wanings
281 build: integrate plugins build into core build
282 build: plugins: set defaults based on platform
283 cleanup: windows: convert argv (UCS-2 to UTF-8) at earliest
284 build: msvc: chdir with change drive to script location
287 Add the query to the error message.
288 Explain that route-nopull also causes the client to ignore dhcp options.
289 Add the name of the context where option is not allowed to the error message.
290 Only use tmpdir if tmp_dir is really used.
291 Completely remove ancient IANA port warning.
292 Remove ENABLE_INLINE_FILES conditionals
293 Remove ENABLE_CONNECTIONS ifdefs
295 David Sommerseth (5):
296 Clean-up: Presume that Linux is always IPv6 capable at build time
297 Simplify check_cmd_access() function
298 Change version to indicate the master branch is not a version
299 Some filesystems don't like ':', which is a path 'make dist' would use
300 Remove two unused functions
302 Frank de Brabander (1):
303 Fix reported compile issues on OSX 10.6.8
306 repair t_client.sh test after build system revolution
307 t_client.sh iproute2 script fixes
308 t_client.sh - fix for iproute2, print summary line
309 Implement search for "first free" tun/tap device on Solaris
310 cleanup and redefine metric handling for IPv6 routes
311 remove "*option" element in "struct route_ipv6"
312 Remove warning about explicit support for IPv6 support not provided MacOS X
313 Add missing pieces to IPv6 route gateway handling.
314 Update TODO.IPv6 list
315 Remove #include "config.h" from ssl_polarssl.h
318 remove wrapper code for Windows CryptoAPI function
319 fix warnings in event.c when building for win32-64
320 remove the --auto-proxy option from openvpn
323 Remove calls to OpenSSL when building with --disable-ssl
325 Jonathan K. Bullard (2):
326 Fix file access checks on commands
327 Clarified the docs and help screen about what a 'cmd' is
329 Samuli Seppänen (1):
330 Added notes about upgrading from 2.3-alpha1 and earlier to INSTALL-win32.txt
332 2012.02.21 -- Version 2.3-alpha1
333 Adriaan de Jong (127):
334 Added Doxygen doxyfile
335 Changed configure to accept --with-ssl-type=openssl
336 Refactored to rand_bytes for OpenSSL-independency
337 Refactored OpenSSL-specific constants
338 Refactored maximum cipher and hmac length constants
339 Refactored show_available_* functions
340 Refactored SSL_clear_error()
341 Refactored crypto initialisation functions
342 Refactored DES key manipulation functions
343 Refactored NTLM DES key generation
344 Refactored message digest type functions
345 Refactored message digest functions
346 Refactored HMAC functions
347 Refactored cipher key types
348 Refactored cipher functions
350 Refactored: Moved crypto.h inline functions to end of file
351 Removed stale OpenSSL defines from crypto.h
352 Added a check for Openssl or PolarSSL defines
353 Refactored: Added stubs for new files
354 Refactored SSL initialisation functions
355 Refactored TLS_PRF to new hmac and md primitives
356 Refactored tls_show_available_ciphers
357 Refactored get_highest_preference_tls_cipher
358 Refactored root SSL context initialisation
359 Refactored new external key code
360 Refactored DH paramater loading
361 Refactored root TLS option settings
362 Refactored PKCS#12 key loading
363 Refactored PKCS#11 loading
364 Refactored windows cert loading
365 Refactored load certificate functions
366 Refactored private key loading code
367 Refactored external key loading from management
368 Refactored CA and extra certs code
369 Refactored cipher restriction code
370 Refactored tls_options, key_state, and key_source data structures
371 Refactored initalisation of key_states
372 Refactored key_state free code
373 Refactored print_details
374 Refactored key_state read code (including bio_read())
375 Refactored key_state write functions
376 Refactored: Moved BIO debug functions to OpenSSL backend
377 Refactored: removed ks and ks_lame macro for clarity
378 Refactored: moved write_empty_string function back
379 Refactored Doxygen for tls_multi functions
380 Migrated data structures needed by verification functions to ssl_common.h
381 Refactored client_config_dir_exclusive function
382 Refactored certificate hash lock checks
383 Refactored common name locking functions
384 Refactored username and password authentication code
385 Add some extra comments
386 Refactored: split verify_callback into two parts
387 Added function to extract and verify the subject from a certificate
388 Added function to verify and extract the username
389 Refactored: removed global x509_username_field
390 Refactored: separated environment setup during verification
391 Refactored: Netscape certificate type verification
392 Refactored key usage verification code
393 Refactored EKU verification
394 Refactored tls-remote checking
395 Refactored tls-verify-plugin code
396 Refactored tls-verify script code
397 Refactored CRL checks
398 Minor cleanup in verify_cert:
399 Refactored: Moved verify_cert to ssl_verify
401 Refactored: made M_SSL dependent on USE_OPENSSL
402 Refactored: renamed X509 functions from verify_*
403 Separated OpenSSL-specific parts of the PKCS#11 driver
404 Modified base64 code in preparation for PolarSSL merge
405 Final cleanup before PolarSSL addition:
406 Refactored X509 track feature to be contained within the openssl backend
407 Added PolarSSL support:
408 Fixed a missing include in ssl_backend.h
409 Fixed a bug in the hash generation in ssl_verify_openssl.c
410 Added SHA_DIGEST_SIZE definition
411 Changed PolarSSL crypto backend to support v0.99-pre5
412 Updated ssl_polarssl.c to work with 0.99-pre5
413 Fixed a compilation warning for size_t key sizes
414 Added a warning that the PolarSSL library does not support pkcs12 files.
415 Added warning that --capath is not available with PolarSSL
416 Disable CryptoAPI when not using OpenSSL, and document that fact.
417 Removed support for management external keys in PolarSSL
418 Removed stray X509_free from ssl.c
419 Refactored (and disabled for PolarSSL) support for writing external cert files in scripts
420 Added an extra define to allow building without PKCS#11
421 Added SSL library to title string
422 Disabled X.509 track and username selection for PolarSSL
423 Hardening: periodically reset the PRNG's nonce value
424 Fixes for the plugin system:
425 Further improvements to plugin support:
426 Fixed an unintentional change in the options calculated key size.
427 Moved print messages back to generic crypto.c from cipher backends
428 Moved HMAC prints back to main crypto module
429 Added back checks for ks->authenticated in verify_user_pass
430 Moved gc_new and gc_free to begin end of function
431 Fixed a bug in the return value of ssl_verify when pre_verify failed
432 Unified verification function return values:
433 Removed a stray Fox-IT tag
434 Fixed a typo: print the subject instead of the serial for verification errors
435 Made SSL_CIPHER const in print_details, to fix warning
436 Moved to PolarSSL 1.0.0:
437 Added missing #ifdef to allow --disable-managent to work again
438 Fixed disabling crypto and SSL
439 Got rid of a few magic numbers in ntlm.c
440 Removed obsolete des_cblock and des_keyschedule
441 Further removal of des_old.h based calls
442 Fixed missing comma in plugin.h
443 Moved prng_uninit out of crypto_uninit_lib
444 Moved CryptoAPI header include to the ssl_openssl.c
445 Reordered functions to ensure warning-free Windows build
446 Added options to switch between OpenSSL and PolarSSL and PKCS11...
447 Moved from strsep to strtok, for Windows compatibility
448 Minor cleanup to enable warning-free Windows build:
449 Fixed a typo when initialising cryptoapi certs
450 Minor code cleanup: cleaned up error handling in verify_cert.
451 Moved out of memory prototype to error.h, as the definition is in error.c
452 Removed support for calling gc_malloc with a NULL gc_arena struct
454 (The follwing patches from Adriaan was mistakenly merged with
455 the wrong commit author in the git tree)
456 Doxygen: Added data channel crypto docs
457 Added control channel crypto docs
458 Added compression docs
459 Added reliability layer documentation
460 Added memory management documentation
461 Added data channel fragmentation docs
462 Added main/control docs
463 Moved doxygen-specific files to a separate directory
466 autoconf fixes for building on OSX
468 David Sommerseth (50):
469 Provide 'dev_type' environment variable to plug-ins and script hooks
470 Define the new openvpn_plugin_{open,func}_v3() API
471 Implement the core v3 plug-in function calls.
472 Extend the v3 plug-in API to send over X509 certificates
473 Added a simple plug-in demonstrating the v3 plug-in API.
474 Separate the general plug-in version constant and v3 plug-in structs version
475 Use a version-less version identifier on the master branch
476 Fix the --client-cert-not-required feature
477 Change the default --tmp-dir path to a more suitable path
478 Improve the mysprintf() issue in openvpnserv.c
479 Add a simple comment regarding openvpn_snprintf() is duplicated
480 Merge branch 'feat_ipv6_transport'
481 Merge branch 'feat_ipv6_payload'
482 Merge branch 'svn-branch-2.1' into merge
483 Solved hidden merge conflicts between master and svn-branch-2.1
484 Fix const declarations in plug-in v3 structs
485 Merge remote-tracking branch 'cron2/feat_ipv6_payload_2.3'
486 Don't define ENABLE_PUSH_PEER_INFO if SSL is not available
487 Fix compiling issues with pkcs11 when --disable-management is configured
488 Remove support for Linux 2.2 configuration fallback
489 Revert "Add new openssl.cnf to easy-rsa/Windows"
490 Merge remote branch SVN 2.1 into the git tree
491 Merge branch 'svn-merger'
492 Fix Microsoft Visual Studio incompatibility in plugin.c
493 Fixed compile issues on FreeBSD and Solaris
494 Fix PolarSSL and --pkcs12 option issues
495 Fix FreeBSD/OpenBSD/NetBSD compiler warnings in get_default_gateway()
496 Make '--win-sys env' default
497 Do some file/directory tests before really starting openvpn
498 Fix bug after removing Linux 2.2 support
499 Don't look for 'stdin' file when using --auth-user-pass
500 Fix compiling with --disable-crypto and/or --disable-ssl
501 Fix a couple of issues in openvpn_execve()
502 Move away from openvpn_basename() over to platform provided basename()
503 Enable access() when building in Visual Studio
504 New Windows build fixes
505 Fix compilation errors on Linux platforms without SO_MARK
506 autotools ./configure don't like compat.h
507 Fix pool logging when IPv6 is not enabled
508 Don't check for file presence on inline files
509 Add --route-pre-down/OPENVPN_PLUGIN_ROUTE_PREDOWN script/plug-in hook
510 Enhance the error handling in _openssl_get_subject()
511 Fix assert() situations where gc_malloc() is called without a gc_arena object
512 Fix compile issues when plug-ins are disabled.
513 Remove --show-gateway if debug info is not enabled (--disable-debug)
514 Fix compile issues with status.c
515 Connection entry {tun,link}_mtu_defined not set correctly
516 Makefile.am referenced a now non-existing config-win32.h
517 Makefile.am was missing ssl_common.h
518 Revamp check_file_access() checks in stdin scenarios
521 New feauture: Add --stale-routes-check
523 Frank de Brabander (1):
524 Fixed wrong return type of cipher_kt_mode
527 Add support to forward console query to systemd
530 Add more detailed explanation regarding the function of "--rdns-internal"
531 Enable IPv6 Payload in OpenVPN p2mp tun server mode. 20100104-1 release.
532 remove NOTES file from commit - private scribbling
533 NetBSD fixes - on 4.0 and up, use multi-af mode.
534 new feature: "ifconfig-ipv6-push" (from ccd/ config)
535 add some TODOs to TODO.IPv6
536 undo accidential duplication of existing "--iroute" line in the help text
537 basic documentation of IPv6 related options and their syntax
538 Enable IPv6 Payload in OpenVPN p2mp tun server mode.
539 remove NOTES file from commit - private scribbling
540 env_block(): if PATH is not set, add standard PATH setting to env
541 add IPv6 route add / route delete code for windows (using "netsh")
542 - Win32 IPv6 ifconfig support, using "netsh" calls
543 drop "book ipv6" from open_tun() and tuncfg() prototypes
544 document recent changes and open TODOs, adapt --version info, tag release
545 Win32: set next-hop for IPv6 routes according to TUN/TAP mode
546 when deleting a route on win32, also add gateway address
547 WIN32: if IPv6 requested in TUN mode, check if TUN/TAP driver < 9.7
548 revert unconditionally-enabling of setenv_es() logging
549 implement IPv6 ifconfig + route setup/deletion on OpenBSD
550 full "VPN client connect" test framework for OpenVPN t_client.rc-sample
551 renamed t_client.sh to t_client.sh.in
552 2.2-beta3 has a signed TAP driver with the IPv6 code - test for 9.8
553 correct URL for "more information about IPv6 patch is *here*"
554 bugfix for linux/iproute2: IPv6 ifconfig code block was not called for "dev tun"+"topology subnet"
555 bump IPv6 version number (openvpn --version) to 20100922-1
556 Implement "ipv6 ifconfig" for TAP interfaces on Solaris interfaces
557 rebased to 2.2RC2 (beta 2.2 branch)
558 Windows IPv6 cleanup - properly remove IPv6 routes and interface config
559 For all accesses to "struct route_list * rl", check first that rl is non-NULL
560 Replace 32-bit-based add_in6_addr() implementation by an 8-bit based one
561 Platform cleanup for NetBSD
562 Move block for "stale-routes-check" config inside #ifdef P2MP_SERVER block
563 add missing break between "case IPv4" and "case IPv6"
564 bump tap driver version from 9.8 to 9.9
565 log error message and exit for "win32, tun mode, tap driver version 9.8"
566 work around inet_ntop/inet_pton problems for MSVC builds on WinXP
567 Fix build-up of duplicate IPv6 routes on reconnect.
568 Fix list-overrun checks in copy_route_[ipv6_]option_list()
569 add "print test titles" and "use sudo" functionality to t_client.rc
570 Platform cleanup for FreeBSD
571 Implement IPv6 interface config with non-/64 prefix lengths.
572 Fix RUN_SUDO functionality for t_client.sh
573 Document IPv6-related environment variables.
574 Platform cleanup for OpenBSD
577 Avoid re-defining uint32_t when using mingw compiler
579 Gustavo Zacarias (1):
580 Fix compile issues when using --enable-small and --disable-ssl/--disable-crypto
583 add .gitignore to official repository
584 remove function is_proto_tcp()
585 remove legacy code to query IE proxy information
586 lowercase include header name in syshead.h
587 define IN6_ARE_ADDR_EQUAL macro for WIN32
588 add --mark option to set SO_MARK sockopt
589 Windows UTF-8 input/output
590 UTF-8 X.509 distinguished names
591 set Windows environment variables as UCS-2
592 handle Windows unicode paths
593 replace check for TARGET_WIN32 with WIN32
594 do not use mode_t on Windows
595 use the underscore version of stat on Windows
596 make MSVC link against shell32 as well
597 move variable declaration to top of function
598 define access mode flag X_OK as 0 on Windows
601 The code blocks enabled by ENABLE_CLIENT_CR depends on management
604 Added "management-external-key" option.
605 Minor addition of logging info before and after execution of Windows net commands.
607 Added --x509-track option.
608 * added --management-up-down option to allow management interface to be notified of tunnel up/down events.
609 Fixed minor compile issue triggered on builds where MANAGEMENT_DEF_AUTH is not enabled.
610 Implemented get_default_gateway_mac_addr for Mac OS X
612 Properly handle certificate serial numbers > 32 bits.
613 Added "client-nat" option for stateless, one-to-one NAT on the client side.
614 Renamed branch to reflect that it is no longer beta.
615 env_filter_match now includes the serial number of all certs
616 Fixed issue where a client might receive multiple push replies from a server
617 Fixed bug introduced in r7031 that might cause this error message:
618 Extended "client-kill" management interface command (server-side)
619 Client will now try to reconnect if no push reply received within handshake-window seconds.
621 Fixed compiling issues when using --disable-crypto
622 Added "management-external-key" option.
624 win/sign.py now accepts an optional tap-dir argument.
625 Added "auth-token" client directive
626 Added ./configure --enable-osxipconfig option for Mac OS X
627 Added more packet ID debug info at debug level 3 for debugging false positive packet replays.
628 Fixed bug that incorrectly placed stricter TCP packet replay rules on UDP sessions
629 Fixed bug in port-share that could cause port share process to crash
630 For Mac OSX, when DARWIN_USE_IPCONFIG is defined, retry ipconfig command on failure
632 Revert r7092 and r7151, i.e. remove --enable-osxipconfig configure option.
633 Added 'dir' flag to "crl-verify" (see man page for info).
634 Added new "extra-certs" and "verify-hash" options
635 Fixed compile issues on Windows.
636 Added --enable-lzo-stub configure option to build an OpenVPN client without LZO
637 Added optional journal directory argument to "port-share" directive
638 Reduce log verbosity at level 3, with a focus on removing excessive log verbosity generated by port-share activity.
639 env_filter_match now includes the serial number of all certs in chain
640 Added support for static challenge/response protocol.
642 Added redirect-gateway block-local flag, with support for Linux, Mac OS X
643 Extended x509-track to allow SHA1 certificate hash to be extracted
644 Added "management-query-remote" directive (client) to allow the management interface to override the "remote" directive.
646 Fixed MSVC compile error related to r7408.
647 Redact "echo" directive strings from log, since these strings (going forward) could conceivably contain security-sensitive data.
648 Modified sanitize_control_message to remove redacted data from control string rather than blotting it out with "_" chars.
649 Changed CC_PRINT character class to allow UTF-8 chars.
650 Increased the --verb threshold for "PID_ERR replay" messages to 4 from 3.
651 Fixed issue where redirect-gateway block-local code was not correctly calculating...
652 CC_PRINT character class now allows any 8-bit character value >= 32.
653 "status" management interface command (version >= 2) will now include the username for each connected user.
654 Minor fix to CC_PRINT char class
655 Fixed management interface bug where >FATAL notifications were not being output properly
656 Raised D_PID_DEBUG_LOW from level 3 to 4 to reduce replay error verbosity at level 3.
657 Added "memstats" option to maintain real-time operating stats in a memory-mapped file.
658 Fixed client issues with DHCP Router option extraction/deletion when using layer 2 with DHCP proxy:
659 Allow "tap-win32 dynamic <offset>" to be used in topology subnet mode.
660 Added support for "on-link" routes on Linux client
662 Jan Just Keijser (1):
663 Made some options connection-entry specific
666 common_name passing in auth_pam plugin
668 JuanJo Ciarlante (40):
669 * rebased openvpn-2.1_rc1b.jjo.20061206.d.patch
670 * created getaddr6(), use it from resolve_remote()
671 * migrated all getaddrinfo() to getaddr6
672 * socket.c: use USE_PF_INET6 in switch constructs to actually toss them out,
673 * support --disable-ipv6 build properly:
674 * important fix for tcp6 reconnection was incorrectly creating a PF_INET socket
675 * added README.ipv6.txt
676 * fixed win32 non-ipv6 build
677 * ipv6 on win32 "milestone": 1st snapshot that passes all unittests
678 * document ipv6 milestone status
679 * doc update w/unittests results
680 * make possible to x-compile openvpn/win32 in Linux
681 * correctly setup hints.ai_socktype for getaddrinfo(), althought sorta hacky, see TODO.ipv6.
682 * renamed README.ipv6{.txt,}
683 * updated {README,TODO}.ipv6 from feedback at openvpn-devel mlist
684 * init.c: document the ENABLE_MANAGEMENT place to work on
685 * init.c: small in-doc tweaks
686 * fix multi-tcp crash (corrected assertion)
688 * socket.c: better buf logic in print_sockaddr_ex
689 * fixed segfault for undef address family in print_sockaddr_ex (thanks Marcel!)
691 * openbsd: no IFF_MULTICAST, #ifdef around it
692 * no new funcionality, just small cleanups
693 * (prototype) fix for supporting "redirect-gateway" for tunneled ipv4 over ipv6 endpoints
694 * polished redirect-gateway (ipv4 on ipv6 endpoints) support
696 * fix --disable-ipv6 build
698 * rebased to v2.1.1 release
699 * undo mroute.c changes related to ipv6 payload
700 * fix --multihome for ipv4
701 * fix --multihome for ipv6
702 * ipv6-0.4.14: fix xinetd usage
703 * ipv6-0.4.15: add --multihome support to xBSD
704 * ipv6-0.4.15b: rebase over openvpn-testing-master
705 * ipv6-0.4.16: fix mingw32 build
706 * make ipv6_payload compile under windowze
707 USE_PF_INET6 by default for v2.3
708 fix ipv6 compilation under macosx >= 1070 - v3
711 Add extv3 X509 field support to --x509-username-field
713 Matthew L. Creech (1):
714 Fix 2.2.0 build failure when management interface disabled
717 Skip rather than fail test in addressless FreeBSD jails.
720 Update man page with info about --capath
721 Update man page with info about --connect-timeout
722 Added info about --show-proxy-settings
723 Documented --x509-username-field option
724 Documented --errors-to-stderr option
725 Documented --push-peer-info option
726 Update man page with info about --remote-random-hostname
727 Added man page entry for --management-client
729 Samuli Seppänen (19):
730 Add man page entry for --redirect-private
731 Change all CRLF linefeeds to LF linefeeds
732 Fix a bug in devcon source code handling
733 Removed Win2k from supported platforms list in INSTALL and win/openvpn.nsi
734 Fixed copying of tapinstall.exe to dist/bin when using prebuilt TAP-drivers
735 Fixed a bug with GUI icon deletion on upgrade from 2.2-RC or earlier
736 Fix a build-ca issue on Windows
737 Add new openssl.cnf to easy-rsa/Windows
738 Updated "easy-rsa" for OpenSSL 1.0.0
739 Made domake-win builds to use easy-rsa/2.0/openssl-1.0.0.cnf
740 Fixes to easy-rsa/2.0
741 Merged TODO.IPv6 with TODO.ipv6 and README.IPv6 with README.ipv6
742 Fixed a number of fatal build errors on Visual Studio 2008
743 Fix a Visual Studio 2008 build issue in socket.c
744 Additional Visual Studio 2008 build fixes to tun.c
745 Fixed a typo in win32.h that prevented building with Visual Studio
746 Fixed a regression causing VS2008/Python build failure
747 Fix a Visual Studio 2008 build error in tun.c
748 Fix a Visual Studio 2008 build error in options.c
751 Fix issues with some older GCC compilers
753 Stefan Hellermann (2):
754 plugin.h: update prototype of plugin_call dummy in !ENABLE_PLUGIN case
755 Fixed typo in plugin.h
758 Clarify --tmp-dir option
761 Change the netsh.exe command from "add" to "set".
763 2011.12.25 -- Version 2.x-master
765 Added support for "on-link" routes on Linux client -- these are
766 routes where the gateway is specified as an interface rather than
767 an address. This allows redirect-gateway to work on Linux clients
768 whose connection to the internet is via a point-to-point link
771 Note that at the moment, this capability is incompatible with
772 the "redirect-gateway block-local" directive -- this is because
773 the block-local directive blocks all traffic from the local LAN
774 except for the local and gateway addresses. Since a PPP link
775 is essentially a subnet of two addresses, local and remote (i.e.
776 gateway), the set of addresses that would be blocked by block-local
777 is empty. Therefore, the "redirect-gateway block-local" directive
778 will be ignored on PPP links.
780 To view the OpenVPN client's current determination of the default
781 gateway, use this command:
783 ./openvpn --show-gateway
785 2011.03.24 -- Version 2.2-RC2
787 Windows cross-compile cleanup
789 David Sommerseth (2):
790 Open log files as text files on Windows
791 Clarify default value for the --inactive option.
794 Implement IPv6 in TUN mode for Windows TAP driver.
796 Samuli Seppänen (6):
797 Added support for prebuilt TAP-drivers. Automated embedding manifests.
798 Fixes to win/openvpn.nsi
799 Replaced config-win32.h with win/config.h.in
800 Updated INSTALL-win32.txt
802 Clarified --client-config-dir section on the man-page.
805 Fix line continuation in chkconfig init script description.
807 2011.02.28 -- Version 2.2-RC
808 David Sommerseth (3):
809 Make the --x509-username-field feature an opt-in feature
810 Fix compiler warning when compiling against OpenSSL 1.0.0
811 Fix packaging of config-win32.h and service-win32/msvc.mak
814 Minor addition of logging info before and after execution of Windows net commands.
817 Change variadic macros to C99 style.
819 Samuli Seppänen (15):
820 Added ENABLE_PASSWORD_SAVE to config-win32.h
821 Added a nmake makefile for openvpnserv.exe building
822 Moved TAP-driver version info to version.m4. Cleaned up win/settings.in.
823 Added helper functionality to win/wb.py
824 Added support for viewing config-win32.h paramters to win/show.py
825 Added comments and made small modifications to win/msvc.mak.in
826 Added command-line switch to win/build_all.py to skip TAP driver building
827 Added configure.h and version.m4 variable parsing to win/config.py
828 Added openvpnserv.exe building to win/build.py
829 Added comments to win/build_ddk.py
830 Several modifications to win/make_dist.py to allow building the NSI installer
831 Copied install-win32/setpath.nsi to win/setpath.nsi
832 Added first version of NSI installer script to win/openvpn.nsi
833 Changes to buildsystem patchset
834 Temporary snprintf-related fix to service-win32/openvpnserv.c
836 2010.11.25 -- Version 2.2-beta5
838 Samuli Seppänen (1):
839 Fixed an issue causing a build failure with MS Visual Studio 2008.
841 2010.11.18 -- Version 2.2-beta4
843 David Sommerseth (10):
844 Clarified --explicit-exit-notify man page entry
845 Clean-up: Remove pthread and mutex locking code
846 Clean-up: Remove more dead and inactive code paths
847 Clean-up: Removing useless code - hash related functions
848 Use stricter snprintf() formatting in socks_username_password_auth() (v3)
849 Fix compiler warnings about not used dummy() functions
850 Fixed potential misinterpretation of boolean logic
851 Only add some functions when really needed
852 Removed functions not being used anywhere
853 Merged add_bypass_address() and add_host_route_if_nonlocal()
856 Integrate support for TAP mode on Solaris, written by Kazuyoshi Aizawa <admin2@whiteboard.ne.jp>.
857 Make "topology subnet" work on Solaris
858 Improved man page entry for script_type
861 Fixed initialization bug in route_list_add_default_gateway (Gert Doering).
862 Implement challenge/response authentication support in client mode
863 Make base64.h have the same conditional compilation expression as base64.c.
864 Fixed compiling issues when using --disable-crypto
865 In verify_callback, the subject var should be freed by OPENSSL_free, not free
868 Remove hardcoded path to resolvconf
871 Add HTTP/1.1 Host header
874 Adding support for SOCKS plain text authentication
876 Samuli Seppänen (2):
877 Added check for variable CONFIGURE_DEFINES into options.c
878 Added command-line option parser and an unsigned build option to build_all.py
880 2010.08.21 -- Version 2.2-beta3
882 * Attempt to fix issue where domake-win build system was not properly
883 signing drivers and .exe files.
885 Added win/tap_span.py for building multiple versions of the TAP driver
886 and tapinstall binaries using different DDK versions to span from Win2K
890 David Sommerseth (2):
891 Test framework improvment - Do not FAIL if t_client.rc is missing
892 More t_client.sh updates - exit with SKIP when we want to skip
895 Fix compile problems on NetBSD and OpenBSD
896 Fix <net/if.h> compile time problems on OpenBSD for good
897 full "VPN client connect" test framework for OpenVPN
898 Build t_client.sh by configure at run-time.
901 Fixes openssl-1.0.0 compilation warning
903 2010.08.16 -- Version 2.2-beta2
905 * Windows security issue:
906 Fixed potential local privilege escalation vulnerability in
907 Windows service. The Windows service did not properly quote the
908 executable filename passed to CreateService. A local attacker
909 with write access to the root directory C:\ could create an
910 executable that would be run with the same privilege level as
911 the OpenVPN Windows service. However, since non-Administrative
912 users normally lack write permission on C:\, this vulnerability
913 is generally not exploitable except on older versions of Windows
914 (such as Win2K) where the default permissions on C:\ would allow
915 any user to create files there.
916 Credit: Scott Laurie, MWR InfoSecurity
918 * Added Python-based based alternative build system for Windows using
919 Visual Studio 2008 (in win directory).
921 * When aborting in a non-graceful way, try to execute do_close_tun in
922 init.c prior to daemon exit to ensure that the tun/tap interface is
923 closed and any added routes are deleted.
925 * Fixed an issue where AUTH_FAILED was not being properly delivered
926 to the client when a bad password is given for mid-session reauth,
927 causing the connection to fail without an error indication.
929 * Don't advance to the next connection profile on AUTH_FAILED errors.
931 * Fixed an issue in the Management Interface that could cause
932 a process hang with 100% CPU utilization in --management-client
933 mode if the management interface client disconnected at the
934 point where credentials are queried.
936 * Fixed an issue where if reneg-sec was set to 0 on the client,
937 so that the server-side value would take precedence,
938 the auth_deferred_expire_window function would incorrectly
939 return a window period of 0 seconds. In this case, the
940 correct window period should be the handshake window
943 * Modified ">PASSWORD:Verification Failed" management interface
944 notification to include a client reason string:
946 >PASSWORD:Verification Failed: 'AUTH_TYPE' ['REASON_STRING']
948 * Enable exponential backoff in reliability layer
951 * Set socket buffers (SO_SNDBUF and SO_RCVBUF) immediately after
952 socket is created rather than waiting until after connect/listen.
954 * Management interface performance optimizations:
956 1. Added env-filter MI command to perform filtering on env vars
957 passed through as a part of --management-client-auth
959 2. man_write will now try to aggregate output into larger blocks
960 (up to 1024 bytes) for more efficient i/o
962 * Fixed minor issue in Windows TAP driver DEBUG builds
963 where non-null-terminated unicode strings were being
966 * Fixed issue on Windows with MSVC compiler, where TCP_NODELAY support
967 was not being compiled in.
969 * Proxy improvements:
971 Improved the ability of http-auth "auto" flag to dynamically detect
972 the auth method required by the proxy.
974 Added http-auth "auto-nct" flag to reject weak proxy auth methods.
976 Added HTTP proxy digest authentication method.
978 Removed extraneous openvpn_sleep calls from proxy.c.
980 * Implemented http-proxy-override and http-proxy-fallback directives to make it
981 easier for OpenVPN client UIs to start a pre-existing client config file with
982 proxy options, or to adaptively fall back to a proxy connection if a direct
985 * Implemented a key/value auth channel from client to server.
987 * Fixed issue where bad creds provided by the management interface
988 for HTTP Proxy Basic Authentication would go into an infinite
989 retry-fail loop instead of requerying the management interface for
992 * Added support for MSVC debugging of openvpn.exe in settings.in:
994 # Build debugging version of openvpn.exe
995 !define PRODUCT_OPENVPN_DEBUG
997 * Implemented multi-address DNS expansion on the network field of route
1000 When only a single IP address is desired from a multi-address DNS
1001 expansion, use the first address rather than a random selection.
1003 * Added --register-dns option for Windows.
1005 Fixed some issues on Windows with --log, subprocess creation
1006 for command execution, and stdout/stderr redirection.
1008 * Fixed an issue where application payload transmissions on the
1009 TLS control channel (such as AUTH_FAILED) that occur during
1010 or immediately after a TLS renegotiation might be dropped.
1012 * Added warning about tls-remote option in man page.
1014 2009.12.11 -- Version 2.1.1
1016 * Fixed some breakage in openvpn.spec (which is required to build an
1017 RPM distribution) where it was referencing a non-existent
1018 subdirectory in the tarball, causing it to fail (patch from
1021 2009.12.11 -- Version 2.1.0
1023 * Fixed a couple issues in sample plugins auth-pam.c and down-root.c.
1024 (1) Fail gracefully rather than segfault if calloc returns NULL.
1025 (2) The openvpn_plugin_abort_v1 function can potentially be called
1026 with handle == NULL. Add code to detect this case, and if so, avoid
1027 dereferencing pointers derived from handle (Thanks to David
1028 Sommerseth for finding this bug).
1030 * Documented "multihome" option in the man page.
1032 2009.11.20 -- Version 2.1_rc22
1034 * Fixed a client-side bug on Windows that occurred when the
1035 "dhcp-pre-release" or "dhcp-renew" options were combined with
1036 "route-gateway dhcp". The release/renew would not occur
1037 because the Windows DHCP renew function is blocking and
1038 therefore must be called from another process or thread
1039 so as not to stall the tunnel.
1041 * Added a hard failure when peer provides a certificate chain
1042 with depth > 16. Previously, a warning was issued.
1044 2009.11.12 -- Version 2.1_rc21
1046 * Rebuilt OpenVPN Windows installer with OpenSSL 0.9.8l to address
1047 CVE-2009-3555. Note that OpenVPN has never relied on the session
1048 renegotiation capabilities that are built into the SSL/TLS protocol,
1049 therefore the fix in OpenSSL 0.9.8l (disable SSL/TLS renegotiation
1050 completely) will not adversely affect OpenVPN mid-session SSL/TLS
1051 renegotation or any other OpenVPN capabilities.
1053 * Added additional session renegotiation hardening. OpenVPN has always
1054 required that mid-session renegotiations build up a new SSL/TLS
1055 session from scratch. While the client certificate common name is
1056 already locked against changes in mid-session TLS renegotiations, we
1057 now extend this locking to the auth-user-pass username as well as all
1058 certificate content in the full client certificate chain.
1060 2009.10.01 -- Version 2.1_rc20
1062 * Fixed a bug introduced in 2.1_rc17 (svn r4436) where using the
1063 redirect-gateway option by itself, without any extra parameters,
1064 would cause the option to be ignored.
1066 * Fixed build problem when ./configure --disable-server is used.
1068 * Fixed ifconfig command for "topology subnet" on FreeBSD (Stefan Bethke).
1070 * Added --remote-random-hostname option.
1072 * Added "load-stats" management interface command to get global server
1075 * Added new ./configure flags:
1077 --disable-def-auth Disable deferred authentication
1078 --disable-pf Disable internal packet filter
1080 * Added "setcon" directive for interoperability with SELinux (Sebastien
1083 * Optimized PUSH_REQUEST handshake sequence to shave several seconds
1084 off of a typical client connection initiation.
1086 * The maximum number of "route" directives (specified in the config
1087 file or pulled from a server) can now be configured via the new
1088 "max-routes" directive.
1090 * Eliminated the limitation on the number of options that can be pushed
1091 to clients, including routes. Previously, all pushed options needed
1092 to fit within a 1024 byte options string.
1094 * Added --server-poll-timeout option : when polling possible remote
1095 servers to connect to in a round-robin fashion, spend no more than
1096 n seconds waiting for a response before trying the next server.
1098 * Added the ability for the server to provide a custom reason string
1099 when an AUTH_FAILED message is returned to the client. This
1100 string can be set by the server-side managment interface and read
1101 by the client-side management interface.
1103 * client-kill management interface command, when issued on server, will
1104 now send a RESTART message to client.
1105 This feature is intended to make UDP clients respond the same as TCP
1106 clients in the case where the server issues a RESTART message in
1107 order to force the client to reconnect and pull a new options/route
1110 2009.07.16 -- Version 2.1_rc19
1112 * In Windows TAP driver, refactor DHCP/ARP packet injection code to
1113 use a DPC (deferred procedure call) to defer packet injection until
1114 IRQL < DISPATCH_LEVEL, rather than calling NdisMEthIndicateReceive
1115 in the context of AdapterTransmit. This is an attempt to reduce kernel
1116 stack usage, and prevent EXCEPTION_DOUBLE_FAULT BSODs that have been
1117 observed on Vista. Updated TAP driver version number to 9.6.
1119 * In configure.ac, use datadir instead of datarootdir for compatibility
1120 with <autoconf-2.60.
1122 2009.06.07 -- Version 2.1_rc18
1124 * Fixed compile error on ./configure --enable-small
1126 * Fixed issue introduced in r4475 (2.1-rc17) where cryptoapi.c change
1127 does not build on Windows on non-MINGW32.
1129 2009.05.30 -- Version 2.1_rc17
1131 * Reduce the debug level (--verb) at which received management interface
1132 commands are echoed from 7 to 3. Passwords will be filtered.
1134 * Fixed race condition in management interface recv code on
1135 Windows, where sending a set of several commands to the
1136 management interface in quick succession might cause the
1137 latter commands in the set to be ignored.
1139 * Increased management interface input command buffer size
1140 from 256 to 1024 bytes.
1142 * Minor tweaks to Windows build system.
1144 * Added "redirect-private" option which allows private subnets
1145 to be pushed to the client in such a way that they don't accidently
1146 obscure critical local addresses such as the DHCP server address and
1147 DNS server addresses.
1149 * Added new 'autolocal' redirect-gateway flag. When enabled, the OpenVPN
1150 client will examine the routing table and determine whether (a) the
1151 OpenVPN server is reachable via a locally connected interface, or (b)
1152 traffic to the server must be forwarded through the default router.
1153 Only add a special bypass route for the OpenVPN server if (b) is true.
1154 If (a) is true, behave as if the 'local' flag is specified, and do not
1157 The new 'autolocal' flag depends on the non-portable test_local_addr()
1158 function in route.c, which is currently only implemented for Windows.
1159 The 'autolocal' flag will act as a no-op on platforms that have not
1160 yet defined a test_local_addr() function.
1162 * Increased TLS_CHANNEL_BUF_SIZE to 2048 from 1024 (this will allow for
1163 more option content to be pushed from server to client).
1165 * Raised D_MULTI_DROPPED debug level to 4 from 3 to filter out (at debug
1166 levels <=3) a common and usually innocuous warning.
1168 * Fixed issue of symbol conflicts interfering with Windows CryptoAPI
1169 functionality (Alon Bar-Lev).
1171 * Fixed bug where the remote_X environmental variables were not being
1172 set correctly when the 'local' option is specifed.
1174 2009.05.17 -- Version 2.1_rc16
1176 * Windows installer changes:
1178 1. ifdefed out the check Windows version code which is causing
1179 problems on Windows 7
1181 2. don't define SF_SELECTED if it is already defined
1183 3. Use LZMA instead of BZIP2 compression for better compression
1185 4. Upgraded OpenSSL to 0.9.8k
1187 * Added the ability to read the configuration file
1188 from stdin, when "stdin" is given as the config
1191 * Allow "management-client" directive to be used
1192 with unix domain sockets.
1194 * Added errors-to-stderr option. When enabled, fatal errors
1195 that result in the termination of the daemon will be written
1198 * Added optional "nogw" (no gateway) flag to --server-bridge
1199 to inhibit the pushing of the route-gateway parameter to
1202 * Added new management interface command "pid" to show the
1203 process ID of the current OpenVPN process (Angelo Laub).
1205 * Fixed issue where SIGUSR1 restarts would fail if private
1206 key was specified as an inline file.
1208 * Added daemon_start_time and daemon_pid environmental variables.
1210 * In management interface, added new ">CLIENT:ESTABLISHED" notification.
1214 1. Fixed some issues with C++ style comments that leaked into the code.
1216 2. Updated configure.ac to work on MinGW64.
1218 3. Updated common.h types for _WIN64.
1220 4. Fixed issue involving an #ifdef in a macro reference that breaks early gcc
1223 5. In cryptoapi.c, renamed CryptAcquireCertificatePrivateKey to
1224 OpenVPNCryptAcquireCertificatePrivateKey to work around
1225 a symbol conflict in MinGW-5.1.4.
1227 2008.11.19 -- Version 2.1_rc15
1229 * Fixed issue introduced in 2.1_rc14 that may cause a
1230 segfault when a --plugin module is used.
1232 * Added server-side --opt-verify option: clients that connect
1233 with options that are incompatible with those of the server
1234 will be disconnected (without this option, incompatible
1235 clients would trigger a warning message in the server log
1236 but would not be disconnected).
1238 * Added --tcp-nodelay option: Macro that sets TCP_NODELAY socket
1239 flag on the server as well as pushes it to connecting clients.
1241 * Minor options check fix: --no-name-remapping is a
1242 server-only option and should therefore generate an
1243 error when used on the client.
1245 * Added --prng option to control PRNG (pseudo-random
1246 number generator) parameters. In previous OpenVPN
1247 versions, the PRNG was hardcoded to use the SHA1
1248 hash. Now any OpenSSL hash may be used. This is
1249 part of an effort to remove hardcoded references to
1250 a specific cipher or cryptographic hash algorithm.
1252 * Cleaned up man page synopsis.
1254 2008.11.16 -- Version 2.1_rc14
1256 * Added AC_GNU_SOURCE to configure.ac to enable struct ucred,
1257 with the goal of fixing a build issue on Fedora 9 that was
1258 introduced in 2.1_rc13.
1260 * Added additional method parameter to --script-security to preserve
1261 backward compatibility with system() call semantics used in OpenVPN
1262 2.1_rc8 and earlier. To preserve backward compatibility use:
1264 script-security 3 system
1266 * Added additional warning messages about --script-security 2
1267 or higher being required to execute user-defined scripts or
1270 * Windows build system changes:
1272 Modified Windows domake-win build system to write all openvpn.nsi
1273 input files to gen, so that gen can be disconnected from
1274 the rest of the source tree and makensis openvpn.nsi will
1275 still function correctly.
1277 Added additional SAMPCONF_(CA|CRT|KEY) macros to settings.in
1278 (commented out by default).
1280 Added optional files SAMPCONF_CONF2 (second sample configuration
1281 file) and SAMPCONF_DH (Diffie-Helman parameters) to Windows
1282 build system, and may be defined in settings.in.
1284 * Extended Management Interface "bytecount" command
1285 to work when OpenVPN is running as a server.
1286 Documented Management Interface "bytecount" command in
1287 management/management-notes.txt.
1289 * Fixed informational message in ssl.c to properly indicate
1290 deferred authentication.
1292 * Added server-side --auth-user-pass-optional directive, to allow
1293 connections by clients that do not specify a username/password, when a
1294 user-defined authentication script/module is in place (via
1295 --auth-user-pass-verify, --management-client-auth, or a plugin module).
1297 * Changes to easy-rsa/2.0/pkitool and related openssl.cnf:
1299 Calling scripts can set the KEY_NAME environmental variable to set
1300 the "name" X509 subject field in generated certificates.
1302 Modified pkitool to allow flexibility in separating the Common Name
1303 convention from the cert/key filename convention.
1307 KEY_CN="James's Laptop" KEY_NAME="james" ./pkitool james
1309 will create a client certificate/key pair of james.crt/james.key
1310 having a Common Name of "James's Laptop" and a Name of "james".
1312 * Added --no-name-remapping option to allow Common Name, X509 Subject,
1313 and username strings to include any printable character including
1314 space, but excluding control characters such as tab, newline, and
1315 carriage-return (this is important for compatibility with external
1316 authentication systems).
1318 As a related change, added --status-version 3 format (and "status 3"
1319 in the management interface) which uses the version 2 format except
1320 that tabs are used as delimiters instead of commas so that there
1321 is no ambiguity when parsing a Common Name that contains a comma.
1323 Also, save X509 Subject fields to environment, using the naming
1326 X509_{cert_depth}_{name}={value}
1328 This is to avoid ambiguities when parsing out the X509 subject string
1329 since "/" characters could potentially be used in the common name.
1331 * Fixed some ifconfig-pool issues that precluded it from being combined
1332 with --server directive.
1334 Now, for example, we can configure thusly:
1336 server 10.8.0.0 255.255.255.0 nopool
1337 ifconfig-pool 10.8.0.2 10.8.0.99 255.255.255.0
1339 to have ifconfig-pool manage only a subset
1342 * Added config file option "setenv FORWARD_COMPATIBLE 1" to relax
1343 config file syntax checking to allow directives for future OpenVPN
1344 versions to be ignored.
1346 2008.10.07 -- Version 2.1_rc13
1348 * Bundled OpenSSL 0.9.8i with Windows installer.
1350 * Management interface can now listen on a unix
1351 domain socket, for example:
1353 management /tmp/openvpn unix
1355 Also added management-client-user and management-client-group
1356 directives to control which processes are allowed to connect
1359 * Copyright change to OpenVPN Technologies, Inc.
1361 2008.09.23 -- Version 2.1_rc12
1363 * Patched Makefile.am so that the new t_cltsrv-down.sh script becomes
1364 part of the tarball (Matthias Andree).
1366 * Fixed --lladdr bug introduced in 2.1-rc9 where input validation code
1367 was incorrectly expecting the lladdr parameter to be an IP address
1368 when it is actually a MAC address (HoverHell).
1370 2008.09.14 -- Version 2.1_rc11
1372 * Fixed a bug that can cause SSL/TLS negotiations in UDP mode
1373 to fail if UDP packets are dropped.
1375 2008.09.10 -- Version 2.1_rc10
1377 * Added "--server-bridge" (without parameters) to enable
1378 DHCP proxy mode: Configure server mode for ethernet
1379 bridging using a DHCP-proxy, where clients talk to the
1380 OpenVPN server-side DHCP server to receive their IP address
1381 allocation and DNS server addresses.
1383 * Added "--route-gateway dhcp", to enable the extraction
1384 of the gateway address from a DHCP negotiation with the
1385 OpenVPN server-side LAN.
1387 * Fixed minor issue with --redirect-gateway bypass-dhcp or bypass-dns
1388 on Windows. If the bypass IP address is 0.0.0.0 or 255.255.255.255,
1391 * Warn when ethernet bridging that the IP address of the bridge adapter
1392 is probably not the same address that the LAN adapter was set to
1395 * When running as a server, warn if the LAN network address is
1396 the all-popular 192.168.[0|1].x, since this condition commonly
1397 leads to subnet conflicts down the road.
1399 * Primarily on the client, check for subnet conflicts between
1400 the local LAN and the VPN subnet.
1402 * Added a 'netmask' parameter to get_default_gateway, to return
1403 the netmask of the adapter containing the default gateway.
1404 Only implemented on Windows so far. Other platforms will
1405 return 255.255.255.0. Currently the netmask information is
1406 only used to warn about subnet conflicts.
1408 * Minor fix to cryptoapi.c to not compile itself unless USE_CRYPTO
1409 and USE_SSL flags are enabled (Alon Bar-Lev).
1411 * Updated openvpn/t_cltsrv.sh (used by "make check") to conform to new
1412 --script-security rules. Also adds retrying if the addresses are in
1413 use (Matthias Andree).
1415 * Fixed build issue with ./configure --disable-socks --disable-http.
1417 * Fixed separate compile errors in options.c and ntlm.c that occur
1418 on strict C compilers (such as old versions of gcc) that require
1419 that C variable declarations occur at the start of a {} block,
1422 * Workaround bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8, which
1423 the new implementation of extract_x509_field_ssl depends on.
1425 * LZO compression buffer overflow errors will now invalidate
1426 the packet rather than trigger a fatal assertion.
1428 * Fixed minor compile issue in ntlm.c (mid-block declaration).
1430 * Added --allow-pull-fqdn option which allows client to pull DNS names
1431 from server (rather than only IP address) for --ifconfig, --route, and
1432 --route-gateway. OpenVPN versions 2.1_rc7 and earlier allowed DNS names
1433 for these options to be pulled and translated to IP addresses by default.
1434 Now --allow-pull-fqdn will be explicitly required on the client to enable
1435 DNS-name-to-IP-address translation of pulled options.
1437 * 2.1_rc8 and earlier did implicit shell expansion on script
1438 arguments since all scripts were called by system().
1439 The security hardening changes made to 2.1_rc9 no longer
1440 use system(), but rather use the safer execve or CreateProcess
1441 system calls. The security hardening also introduced a
1442 backward incompatibility with 2.1_rc8 and earlier in that
1443 script parameters were no longer shell-expanded, so
1446 client-connect "docc CLIENT-CONNECT"
1448 would fail to work because execve would try to execute
1449 a script called "docc CLIENT-CONNECT" instead of "docc"
1450 with "CLIENT-CONNECT" as the first argument.
1452 This patch fixes the issue, bringing the script argument
1453 semantics back to pre 2.1_rc9 behavior in order to preserve
1454 backward compatibility while still using execve or CreateProcess
1455 to execute the script/executable.
1457 * Modified ip_or_dns_addr_safe, which validates pulled DNS names,
1458 to more closely conform to RFC 3696:
1460 (1) DNS name length must not exceed 255 characters
1462 (2) DNS name characters must be limited to alphanumeric,
1463 dash ('-'), and dot ('.')
1465 * Fixed bug in intra-session TLS key rollover that was introduced with
1466 deferred authentication features in 2.1_rc8.
1468 2008.07.31 -- Version 2.1_rc9
1470 * Security Fix -- affects non-Windows OpenVPN clients running
1471 OpenVPN 2.1-beta14 through 2.1-rc8 (OpenVPN 2.0.x clients are NOT
1472 vulnerable nor are any versions of the OpenVPN server vulnerable).
1473 An OpenVPN client connecting to a malicious or compromised
1474 server could potentially receive an "lladdr" or "iproute" configuration
1475 directive from the server which could cause arbitrary code execution on
1476 the client. A successful attack requires that (a) the client has agreed
1477 to allow the server to push configuration directives to it by including
1478 "pull" or the macro "client" in its configuration file, (b) the client
1479 successfully authenticates the server, (c) the server is malicious or has
1480 been compromised and is under the control of the attacker, and (d) the
1481 client is running a non-Windows OS. Credit: David Wagner.
1484 * Miscellaneous defensive programming changes to multiple
1485 areas of the code. In particular, use of the system() call
1486 for calling executables such as ifconfig, route, and
1487 user-defined scripts has been completely revamped in favor
1488 of execve() on unix and CreateProcess() on Windows.
1490 * In Windows build, package a statically linked openssl.exe to work around
1491 observed instabilities in the dynamic build since the migration to
1494 2008.06.11 -- Version 2.1_rc8
1496 * Added client authentication and packet filtering capability
1497 to management interface. In addition, allow OpenVPN plugins
1498 to take advantage of deferred authentication and packet
1499 filtering capability.
1501 * Added support for client-side connection profiles.
1503 * Fixed unbounded memory growth bug in environmental variable
1504 code that could have caused long-running OpenVPN sessions
1505 with many TLS renegotiations to incrementally
1506 increase memory usage over time.
1508 * Windows release now packages openssl-0.9.8h.
1510 * Build system changes -- allow building on Windows using
1511 autoconf/automake scripts (Alon Bar-Lev).
1513 * Changes to Windows build system to make it easier to do
1514 partial builds, with a reduced set of prerequisites,
1515 where only a subset of OpenVPN installer
1516 components are built. See ./domake-win comments.
1518 * Cleanup IP address for persistence interfaces for tap and also
1519 using ifconfig, gentoo#209055 (Alon Bar-Lev).
1521 * Fall back to old version of extract_x509_field for OpenSSL 0.9.6.
1523 * Clarified tcp-queue-limit man page entry (Matti Linnanvuori).
1525 * Added new OpenVPN icon and installer graphic.
1527 * Minor pkitool changes.
1529 * Added --pkcs11-id-management option, which will cause OpenVPN to
1530 query the management interface via the new NEED-STR asynchronous
1531 notification query to get additional PKCS#11 options (Alon Bar-Lev).
1533 * Added NEED-STR management interface asynchronous query and
1534 "needstr" management interface command to respond to the query
1537 * Added Dragonfly BSD support (Francis-Gudin).
1539 * Quote device names before passing to up/down script (Josh Cepek).
1541 * Bracketed struct openvpn_pktinfo with #pragma pack(1) to
1542 prevent structure padding from causing an incorrect length
1543 to be returned by sizeof (struct openvpn_pktinfo) on 64-bit
1546 * On systems that support res_init, always call it
1547 before calling gethostbyname to ensure that
1548 resolver configuration state is current.
1550 * Added NTLMv2 proxy support (Miroslav Zajic).
1552 * Fixed an issue in extract_x509_field_ssl where the extraction
1553 would fail on the first field of the subject name, such as
1554 the common name in: /CN=foo/emailAddress=foo@bar.com
1556 * Made "Linux ip addr del failed" error nonfatal.
1558 * Amplified --client-cert-not-required warning.
1560 * Added #pragma pack to proto.h.
1562 2008.01.29 -- Version 2.1_rc7
1564 * Added a few extra files that exist in the svn repo but were
1565 not being copied into the tarball by make dist.
1567 * Fixup null interface on close, don't use ip addr flush (Alon Bar-Lev).
1569 2008.01.24 -- Version 2.1_rc6
1571 * Fixed options checking bug introduced in rc5 where legitimate configuration
1572 files might elicit the error: "Options error: Parameter pkcs11_private_mode
1573 can only be specified in TLS-mode, i.e. where --tls-server or --tls-client
1576 2008.01.23 -- Version 2.1_rc5
1578 * Fixed Win2K TAP driver bug that was introduced by Vista fixes,
1579 incremented driver version to 9.4.
1581 * Windows build system changes:
1583 Incremented included OpenSSL version to openssl-0.9.7m.
1585 Updated openssl.patch for openssl-0.9.7m and added some
1586 brief usage comments to the head of the patch.
1588 Added build-pkcs11-helper.sh for building the pkcs11-helper
1591 Integrated inclusion of pkcs11-helper into Windows build
1594 Upgraded TAP build scripts to use WDK 6001.17121
1595 (Windows 2008 Server pre-RTM).
1597 * Windows installer changes:
1599 Clean up the start menu folder.
1601 Allow for a site-specific sample configuration file and keys
1602 to be included in a custom installer (see SAMPCONF macros
1605 New icon (temporary).
1607 * Added "forget-passwords" command to the management interface
1610 * Added --management-signal option to signal SIGUSR1 when the
1611 management interface disconnects (Alon Bar-Lev).
1613 * Modified command line and config file parser to allow
1614 quoted strings using single quotes ('') (Alon Bar-Lev).
1616 * Use pkcs11-helper as external library, can be downloaded from
1617 https://www.opensc-project.org/pkcs11-helper (Alon Bar-Lev).
1619 * Fixed interim memory growth issue in TCP connect loop where
1620 "TCP: connect to %s failed, will try again in %d seconds: %s"
1623 * Fixed bug in epoll driver in event.c, where the lack of a
1624 handler for EPOLLHUP could cause 99% CPU usage.
1626 * Defined ALLOW_NON_CBC_CIPHERS for people who don't
1627 want to use a CBC cipher for OpenVPN's data channel.
1629 * Added PLUGIN_LIBDIR preprocessor string to prepend a default
1630 plugin directory to the dlopen search list when the user
1631 specifies the basename of the plugin only (Marius Tomaschewski).
1633 * Rewrote extract_x509_field and modified COMMON_NAME_CHAR_CLASS
1634 to allow forward slash characters ("/") in the X509 common name
1637 * Allow OpenVPN to run completely unprivileged under Linux
1638 by allowing openvpn --mktun to be used with --user and --group
1639 to set the UID/GID of the tun device node. Also added --iproute
1640 option to allow an alternative command to be executed in place
1641 of the default iproute2 command (Alon Bar-Lev).
1643 * Fixed --disable-iproute2 in ./configure to actually disable
1644 iproute2 usage (Alon Bar-Lev).
1646 * Added --management-forget-disconnect option -- forget
1647 passwords when management session disconnects (Alon Bar-Lev).
1649 2007.04.25 -- Version 2.1_rc4
1651 * Worked out remaining issues with TAP driver signing
1652 on Vista x64. OpenVPN will now run on Vista x64
1653 with driver signing enforcement enabled.
1655 * Fixed 64-bit portability bug in time_string function
1658 2007.04.22 -- Version 2.1_rc3
1660 * Additional fixes to TAP driver for Windows x64. Driver
1661 now runs successfully on Vista x64 if driver signing
1662 enforcement is disabled.
1664 * The Windows Installer and TAP driver are now signed by
1665 OpenVPN Solutions LLC (in addition to the usual GnuPG
1668 * Added OpenVPN GUI (Mathias Sundman version) as install
1669 option in Windows installer.
1671 * Clean up configure on FreeBSD for recent autotool versions
1672 that require that all .h files have to be compiled.
1673 Also, FreeBSD install does not support GNU long options
1674 which the Makefile in easy-rsa/2.0 uses (not checked the
1675 others as we don't install those on Gentoo) (Roy Marples).
1677 * Added additional scripts to easy-rsa/Windows for working
1678 with password-protected keys; also add -extensions server
1679 option when generating server cert via
1680 build-key-server-pass.bat (Daniel Zauft).
1682 2007.02.27 -- Version 2.1_rc2
1684 * auth-pam change: link with -lpam rather
1685 than dlopen (Roy Marples).
1687 * Prevent SIGUSR1 or SIGHUP from causing program
1688 exit from initial management hold.
1690 * SO_REUSEADDR should not be set on Windows TCP sockets
1691 because it will cause bind to succeed on port conflicts.
1693 * Added time_ascii, time_duration, and time_unix
1694 environmental variables for plugins and callback
1697 * Fixed issue where OpenVPN does not apply the --txqueuelen option
1698 to persistent interfaces made with --mktun (Roy Marples).
1700 * Attempt at rational signal handling when in the
1701 management hold state. During management hold, ignore
1702 SIGUSR1/SIGHUP signals thrown with the "signal" command.
1703 Also, "signal" command will now apply remapping as
1704 specified with the --remap-usr1 option.
1705 When a signal entered using the "signal" command from a management
1706 hold is ignored, output: >HOLD:Waiting for hold release
1708 * Fixed issue where struct env_set methods that
1709 change the value of an existing name=value pair
1710 would delay the freeing of the memory held by
1711 the previous name=value pair until the underlying
1712 client instance object is closed.
1713 This could cause a server that handles long-term
1714 client connections, resulting in many periodic calls
1715 to verify_callback, to needlessly grow the env_set
1716 memory allocation until the underlying client instance
1719 * Renamed TAP-Win32 driver from tap0801.sys to tap0901.sys
1720 to reflect the fact that Vista has blacklisted the tap0801.sys
1721 file name due to previous compatibility issues which have now
1722 been resolved. TAP-Win32 major/minor version number is now 9/1.
1724 * Windows installer will delete a previously installed
1725 tap0801.sys TAP driver before installing tap0901.sys.
1727 * Added code to Windows installer to fail gracefully on 64 bit
1728 installs until 64-bit TAP driver issues can be resolved.
1730 * Added code to Windows installer to fail gracefully on
1731 versions of Windows which are not explicitly supported.
1733 * The Windows version will now use a default route-delay
1734 of 5 seconds to deal with an apparent routing table race
1737 * Worked around an incompatibility in the Windows Vista
1738 version of CreateIpForwardEntry as described in
1739 http://www.nynaeve.net/?p=59
1740 This issue would cause route additions using the
1741 IP Helper API to fail on Vista.
1743 * On Windows, revert to "ip-win32 dynamic" as the default.
1745 2006.10.31 -- Version 2.1_rc1
1747 * Support recovery (return to hold) from signal at
1748 management password prompt.
1750 * Added workaround for OpenSC PKCS#11 bug#108
1753 2006.10.01 -- Version 2.1-beta16
1755 * Windows installer updated with OpenSSL 0.9.7l DLLs to fix
1756 published vulnerabilities.
1758 * Fixed TAP-Win32 bug that caused BSOD on Windows Vista
1761 * Autodetect 32/64 bit Windows in installer and install
1762 appropriate TAP driver (Mathias Sundman, Hypherion).
1764 * Fixed bug in loopback self-test introduced
1765 in 2.1-beta15 where self test as invoked by
1766 "make check" would not properly exit after
1767 2 minutes (Paul Howarth).
1769 2006.09.12 -- Version 2.1-beta15
1771 * Windows installer updated with OpenSSL 0.9.7k DLLs to fix
1772 RSA Signature Forgery (CVE-2006-4339).
1774 * Fixed bug introduced with the --port-share directive
1775 (back in 2.1-beta9 which causes TLS soft resets
1776 (1 per hour by default) in TCP server mode to force
1777 a blockage of tunnel packets and later time-out and
1778 restart the connection.
1780 * easy-rsa update (Alon Bar-Lev)
1781 Makefile (install) is now available so that
1782 distribs will be able to install it safely.
1784 * PKCS#11 changes: (Alon Bar-Lev)
1785 - Modified ssl.c to not FATAL and return to init.c
1786 so auth-retry will work.
1787 - Modifed pkcs11-helper.c to fix some problem with
1789 - Added retry counter to PKCS#11 PIN hook.
1790 - Modified PKCS#11 PIN retry loop to return correct error
1791 code when PIN is incorrect.
1792 - Fix handling (ignoring) zero sized attributes.
1794 - Fix openssl 0.9.6 (first version) issues.
1796 * Minor fixes of lladdr (Alon Bar-Lev)
1797 Updated makefile.w32-vc to include lladdr.*, updated
1799 Modified lladdr.c to be compiled under visual C.
1801 * Added two new management states:
1802 OPENVPN_STATE_RESOLVE -- DNS lookup
1803 OPENVPN_STATE_TCP_CONNECT -- Connecting to TCP server
1805 * Echo management state change to log.
1807 * Minor syshead.h change for NetBSD to allow
1808 TCP_NODELAY flag to work.
1810 * Modified --port-share code to remove the assumption that
1811 CMSG_SPACE always evaluates to a constant, to enable
1812 compilation on NetBSD and possibly other BSDs as well.
1814 * Eliminated gcc 3.3.3 warnings on NetBSD
1815 when ./configure --enable-strict is used.
1817 * Added optional minimum-number-of-bytes parameter
1818 to --inactive directive.
1820 2006.04.13 -- Version 2.1-beta14
1822 * Fixed Windows server bug in time backtrack handling code which
1823 could cause TLS negotiation failures on legitimate clients.
1825 * Rewrote gettimeofday function for Windows to be
1826 simpler and more efficient.
1828 * Merged PKCS#11 extensions to easy-rsa/2.0 (Alon Bar-Lev).
1830 * Added --route-metric option to set a default route metric
1831 for --route (Roy Marples).
1833 * Added --lladdr option to specify the link layer (MAC) address
1834 for the tap interface on non-Windows platforms (Roy Marples).
1836 2006.04.12 -- Version 2.1-beta13
1838 * Code added in 2.1-beta7 and 2.0.6-rc1 to extend byte counters
1839 to 64 bits caused a bug in the Windows version which has now
1840 been fixed. The bug could cause intermittent crashes.
1842 2006.04.05 -- Version 2.1-beta12
1844 * Security Vulnerability -- An OpenVPN client connecting to a
1845 malicious or compromised server could potentially receive
1846 "setenv" configuration directives from the server which could
1847 cause arbitrary code execution on the client via a LD_PRELOAD
1848 attack. A successful attack appears to require that (a) the
1849 client has agreed to allow the server to push configuration
1850 directives to it by including "pull" or the macro "client" in
1851 its configuration file, (b) the client configuration file uses
1852 a scripting directive such as "up" or "down", (c) the client
1853 succesfully authenticates the server, (d) the server is
1854 malicious or has been compromised and is under the control of
1855 the attacker, and (e) the attacker has at least some level of
1856 pre-existing control over files on the client (this might be
1857 accomplished by having the server respond to a client web request
1858 with a specially crafted file). Credit: Hendrik Weimer.
1861 The fix is to disallow "setenv" to be pushed to clients from
1862 the server, and to add a new directive "setenv-safe" which is
1863 pushable from the server, but which appends "OPENVPN_" to the
1864 name of each remotely set environmental variable.
1866 * "topology subnet" fix for FreeBSD (Benoit Bourdin).
1868 * PKCS11 fixes (Alon Bar-Lev). For full description:
1869 svn log -r990 http://svn.openvpn.net/projects/openvpn/branches/BETA21
1871 * When deleting routes under Linux, use the route metric
1872 as a differentiator to ensure that the route teardown
1873 process only deletes the identical route which was originally
1874 added via the "route" directive (Roy Marples).
1876 * Fix the t_cltsrv.sh file in FreeBSD 4 jails
1877 (Matthias Andree, Dirk Meyer, Vasil Dimov).
1879 * Extended tun device configure code to support ethernet
1880 bridging on NetBSD (Emmanuel Kasper).
1882 2006.02.19 -- Version 2.1-beta11
1884 * Fixed --port-share bug that caused premature closing
1885 of proxied sessions.
1887 2006.02.17 -- Version 2.1-beta10
1889 * Fixed --port-share breakage introduced in 2.1-beta9.
1891 2006.02.16 -- Version 2.1-beta9
1893 * Added --port-share option for allowing OpenVPN and HTTPS
1894 server to share the same port number.
1895 * Added --management-client option to connect as a client
1896 to management GUI app rather than be connected to as a
1898 * Added "bytecount" command to management interface.
1899 * --remote-cert-tls fixes (Alon Bar-Lev).
1901 2006.01.03 -- Version 2.1-beta8
1903 * --remap-usr1 will now also remap signals thrown during
1905 * Added --connect-timeout option to control the timeout
1906 on TCP client connection attempts (doesn't work on all
1907 OSes). This patch also makes OpenVPN signalable during
1908 TCP connection attempts.
1909 * Fixed bug in acinclude.m4 where capability of compiler
1910 to handle zero-length arrays in structs is tested
1912 * Fixed typo in manage.c where inline function declaration
1913 was declared without the "static" keyword (David Stipp).
1914 * Patch to support --topology subnet on Mac OS X (Mathias Sundman).
1915 * Added --auto-proxy directive to auto-detect HTTP or SOCKS
1916 proxy settings (currently Windows only).
1917 * Removed redundant base64 code.
1918 * Better sanity checking of --server and --server-bridge
1919 IP pool ranges, so as not to hit the assertion at
1921 * Fixed bug where --daemon and --management-query-passwords
1922 used together would cause OpenVPN to block prior to
1924 * Fixed client/server race condition which could occur
1925 when --auth-retry interact is set and the initially
1926 provided auth-user-pass credentials are incorrect,
1927 forcing a username/password re-query.
1928 * Fixed bug where if --daemon and --management-hold are
1929 used together, --user or --group options would be ignored.
1930 * --ip-win32 adaptive is now the default.
1931 * --ip-win32 netsh (or --ip-win32 adaptive when in netsh
1932 mode) can now set DNS/WINS addresses on the TAP-Win32
1934 * Added new option --route-method adaptive (Win32)
1935 which tries IP helper API first, then falls back to
1937 * Made --route-method adaptive the default.
1939 2005.11.12 -- Version 2.1-beta7
1941 * Allow blank passwords to be passed via the management
1943 * Fixed bug where "make check" inside a FreeBSD "jail"
1944 would never complete (Matthias Andree).
1945 * Fixed bug where --server directive in --dev tap mode
1946 claimed that it would support subnets of /30 or less
1947 but actually would only accept /29 or less.
1948 * Extend byte counters to 64 bits (M. van Cuijk).
1949 * Fixed bug in Linux get_default_gateway function
1950 introduced in 2.0.4, which would cause redirect-gateway
1951 on Linux clients to fail.
1952 * Moved easy-rsa 2.0 scripts to easy-rsa/2.0 to
1953 be compatible with 2.0.x distribution.
1954 * Documented --route-nopull.
1955 * Documented --ip-win32 adaptive.
1956 * Windows build now linked with LZO2.
1957 * Allow ca, cert, key, and dh files to be specified
1958 inline via XML-like syntax without needing to
1959 reference an explicit file.
1964 * Allow plugin and push directives to have multi-line
1965 parameter lists such as:
1971 * Added connect-retry-max option (Alon Bar-Lev).
1972 * Fixed problems where signals thrown during initialization
1973 were not returning to a management-hold state.
1974 * Added a backtrack-hardened system time algorithm.
1975 * Added --remote-cert-ku, --remote-cert-eku, and
1976 --remote-cert-tls options for verifying certificate
1977 attributes (Alon Bar-Lev).
1978 * For Windows, reverted --ip-win32 default back to "dynamic".
1979 To use new adaptive mode, set explicitly.
1981 2005.11.01 -- Version 2.1-beta6
1983 * Security fix (merged from 2.0.4) -- Affects non-Windows
1984 OpenVPN clients of version 2.0 or higher which connect to
1985 a malicious or compromised server. A format string
1986 vulnerability in the foreign_option function in options.c
1987 could potentially allow a malicious or compromised server
1988 to execute arbitrary code on the client. Only
1989 non-Windows clients are affected. The vulnerability
1990 only exists if (a) the client's TLS negotiation with
1991 the server succeeds, (b) the server is malicious or
1992 has been compromised such that it is configured to
1993 push a maliciously crafted options string to the client,
1994 and (c) the client indicates its willingness to accept
1995 pushed options from the server by having "pull" or
1996 "client" in its configuration file (Credit: Vade79).
1998 * Security fix -- (merged from 2.0.4) Potential DoS
1999 vulnerability on the server in TCP mode. If the TCP
2000 server accept() call returns an error status, the resulting
2001 exception handler may attempt to indirect through a NULL
2002 pointer, causing a segfault. Affects all OpenVPN 2.0 versions.
2004 * Fix attempt of assertion at multi.c:1586 (note that
2005 this precise line number will vary across different
2006 versions of OpenVPN).
2007 * Windows reliability changes:
2008 (a) Added code to make sure that the local PATH environmental
2009 variable points to the Windows system32 directory.
2010 (b) Added new --ip-win32 adaptive mode which tries 'dynamic'
2011 and then fails over to 'netsh' if the DHCP negotiation fails.
2012 (c) Made --ip-win32 adaptive the default.
2013 * More PKCS#11 additions/changes (Alon Bar-Lev).
2014 * Added ".PHONY: plugin" to Makefile.am to work around
2016 * Fixed double fork issue that occurs when --management-hold
2018 * Moved TUN/TAP read/write log messages from --verb 8 to 6.
2019 * Warn when multiple clients having the same common name or
2020 username usurp each other when --duplicate-cn is not used.
2021 * Modified Windows and Linux versions of get_default_gateway
2022 to return the route with the smallest metric
2023 if multiple 0.0.0.0/0.0.0.0 entries are present.
2024 * Added ">NEED-OK" alert and "needok" command to management
2025 interface to provide a general interface for sending
2026 alerts to the end-user. Used by the PKCS#11 code
2027 to send Token Insertion Requests to the user.
2028 * Added actual remote address used to the ">STATE" alert
2029 in the management interface (Rolf Fokkens).
2031 2005.10.17 -- Version 2.1-beta4
2033 * Fixed bug introduced in 2.1-beta3 where management
2034 socket bind would fail.
2035 * --capath fix in ssl.c (Zhuang Yuyao).
2036 * Added ".PHONY: plugin" to Makefile.am, reverted
2037 location of "plugin" directory (thanks to
2038 Matthias Andree for figuring this out).
2040 2005.10.16 -- Version 2.1-beta3
2042 * Added PKCS#11 support (Alon Bar-Lev).
2043 * Enable the use of --ca together with --pkcs12. If --ca is
2044 used at the same time as --pkcs12, the CA certificate is loaded
2045 from the file specified by --ca regardless if the pkcs12 file
2046 contains a CA cert or not (Mathias Sundman).
2047 * Merged --capath patch (Thomas Noel).
2048 * Merged --multihome patch.
2049 * Added --bind option for TCP client connections (Ewan Bhamrah
2051 * Moved "plugin" directory to "plugins" to deal with strange
2052 automake problem that ended up being also fixable with
2053 ".PHONY: plugin" in Makefile.am.
2055 2005.10.13 -- Version 2.1-beta2
2057 * Made --sndbuf and --rcvbuf pushable.
2059 2005.10.01 -- Version 2.1-beta1
2061 * Made LZO setting pushable.
2062 * Renamed sample-keys/tmp-ca.crt to ca.crt.
2063 * Fixed bug where remove_iroutes_from_push_route_list
2064 was missing routes if those routes had
2065 an implied netmask (by omission) of 255.255.255.255.
2066 * Merged with 2.0.3-rc1
2067 * easy-rsa/2.0 moved to easy-rsa
2068 * old easy-rsa moved to easy-rsa/1.0
2070 2005.09.23 -- Version 2.0.2-TO4
2072 * Added feature to TAP-Win32 adapter to allow it to be
2073 opened from non-administrator mode. This feature
2074 is enabled by default, and can be enabled/disabled
2075 in the adapter advanced properties dialog.
2076 * Added --allow-nonadmin standalone option for Windows to
2077 set TAP adapter to allow non-admin access. This
2078 is a user-mode version of the code, and duplicates
2079 the same feature as the above entry.
2080 * Added fix that attempts to solve corner case of tunnel not
2081 forwarding packets when system clock is reset to an earlier time.
2082 * Added --redirect-gateway bypass-dns option. (Developers:
2083 To add bypass-dhcp or bypass-dns support to other OSes,
2084 add a get_bypass_addresses function to route.c for
2086 * Added OPENVPN_PLUGIN_CLIENT_CONNECT_V2 plugin callback, which
2087 allows a client-connect plugin to return configuration text
2088 in memory, rather than via a file.
2089 * Fixed a bug where --mode server --proto tcp-server --cipher none
2090 operation could cause tunnel packet truncation.
2091 * openvpn --version will show [LZO1] or [LZO2], depending on
2092 version that was linked.
2094 2005.09.07 -- Version 2.0.2-TO1
2096 * Added --topology directive. See man page.
2097 * Added --redirect-gateway bypass-dhcp option to add a route
2098 allowing DHCP packets to bypass the tunnel, when the
2099 DHCP server is non-local. Currently only implemented
2101 * Modified OpenVPN Service on Windows to declare the DHCP
2102 client service as a dependency.
2103 * Extended the plugin interface to allow plugins to declare
2104 per-client constructor and destructor functions, to make
2105 it simpler for plugins to maintain per-client state.
2107 2005.09.25 -- Version 2.0.3-rc1
2109 * openvpn_plugin_abort_v1 function wasn't being properly
2110 registered on Windows.
2111 * Fixed a bug where --mode server --proto tcp-server --cipher none
2112 operation could cause tunnel packet truncation.
2114 2005.08.25 -- Version 2.0.2
2116 * No change from 2.0.2-rc1.
2118 2005.08.24 -- Version 2.0.2-rc1
2120 * Fixed regression bug in Win32 installer, introduced in 2.0.1,
2121 which incorrectly set OpenVPN service to autostart.
2122 * Don't package source code zip file in Windows installer
2123 in order to reduce the size of the installer. The source
2124 zip file can always be downloaded separately if needed.
2125 * Fixed bug in route.c in FreeBSD, Darwin, OpenBSD and NetBSD
2126 version of get_default_gateway. Allocated socket for route
2127 manipulation is never freed so number of mbufs continuously
2128 grow and exhaust system resources after a while (Jaroslav Klaus).
2129 * Fixed bug where "--proto tcp-server --mode p2p --management
2130 host port" would cause the management port to not respond until
2131 the OpenVPN peer connects.
2132 * Modified pkitool script to be /bin/sh compatible (Johnny Lam).
2134 2005.08.16 -- Version 2.0.1
2136 * Security Fix -- DoS attack against server when run with "verb 0" and
2137 without "tls-auth". If a client connection to the server fails
2138 certificate verification, the OpenSSL error queue is not properly
2139 flushed, which can result in another unrelated client instance on the
2140 server seeing the error and responding to it, resulting in disconnection
2141 of the unrelated client (CAN-2005-2531).
2142 * Security Fix -- DoS attack against server by authenticated client.
2143 This bug presents a potential DoS attack vector against the server
2144 which can only be initiated by a connected and authenticated client.
2145 If the client sends a packet which fails to decrypt on the server,
2146 the OpenSSL error queue is not properly flushed, which can result in
2147 another unrelated client instance on the server seeing the error and
2148 responding to it, resulting in disconnection of the unrelated client
2149 (CAN-2005-2532). Credit: Mike Ireton.
2150 * Security Fix -- DoS attack against server by authenticated client.
2151 A malicious client in "dev tap" ethernet bridging mode could
2152 theoretically flood the server with packets appearing to come from
2153 hundreds of thousands of different MAC addresses, causing the OpenVPN
2154 process to deplete system virtual memory as it expands its internal
2155 routing table. A --max-routes-per-client directive has been added
2156 (default=256) to limit the maximum number of routes in OpenVPN's
2157 internal routing table which can be associated with a given client
2159 * Security Fix -- DoS attack against server by authenticated client.
2160 If two or more client machines try to connect to the server at the
2161 same time via TCP, using the same client certificate, and when
2162 --duplicate-cn is not enabled on the server, a race condition can
2163 crash the server with "Assertion failed at mtcp.c:411"
2165 * Fixed server bug where under certain circumstances, the client instance
2166 object deletion function would try to delete iroutes which had never been
2167 added in the first place, triggering "Assertion failed at mroute.c:349".
2168 * Added --auth-retry option to prevent auth errors from being fatal
2169 on the client side, and to permit username/password requeries in case
2170 of error. Also controllable via new "auth-retry" management interface
2171 command. See man page for more info.
2172 * Added easy-rsa 2.0 scripts to the tarball in easy-rsa/2.0
2173 * Fixed bug in openvpn.spec where rpmbuild --define 'without_pam 1'
2174 would fail to build.
2175 * Implement "make check" to perform loopback tests (Matthias Andree).
2177 2005.07.21 -- Version 2.0.1-rc7
2179 * Support LZO 2.01 which renamed its library to lzo2 (Matthias Andree).
2180 * Include linux/types.h before checking for linux/errqueue.h (Matthias
2183 2005.07.15 -- Version 2.0.1-rc6
2185 * Commented out "user nobody" and "group nobody" in sample
2186 client/server config files.
2187 * Allow '@' character to be used in --client-config-dir
2190 2005.07.04 -- Version 2.0.1-rc5
2192 * Windows version will log a for-further-info URL when
2193 initialization sequence is completed with errors.
2194 * Added DLOPEN_PAM parameter to plugin/auth-pam/Makefile
2195 to control whether auth-pam plugin links to PAM via
2196 dlopen or -lpam. By default, DLOPEN_PAM=1 so pre-existing
2197 behavior should be preserved. DLOPEN_PAM=0 is the preferred
2198 setting to link via -lpam, but DLOPEN_PAM=1 works around
2199 a bug in SuSE 9.1 (and possibly other distros as well)
2200 where the PAM modules are not linked with -lpam. See
2201 thread on openvpn-devel for more discussion about this
2202 patch (Simon Perreault).
2204 2005.06.15 -- Version 2.0.1-rc4
2206 * Support LZO 2.00, including changes to configure script to
2207 autodetect LZO version.
2209 2005.06.12 -- Version 2.0.1-rc3
2211 * Fixed a bug which caused standard file handles to not be closed
2212 after daemonization when --plugin and --daemon are used together,
2213 and if the plugin initialization function forks (as does auth-pam
2214 and down-root) (Simon Perreault).
2215 * Added client-side up/down scripts in contrib/pull-resolv-conf
2216 for accepting server-pushed "dhcp-option DOMAIN" and "dhcp-option DNS"
2217 on Linux/Unix systems (Jesse Adelman).
2218 * Fixed bug where if client-connect scripts/plugins were cascaded,
2219 and one (but not all) of them returned an error status, there might
2220 be cases where for an individual script/plugin, client-connect was
2221 called but not client-disconnect. The goal of this fix is to
2222 ensure that if client-connect is called on a given client instance,
2223 then client-disconnect will definitely be called. A potential
2224 complication of this fix is that when client-connect functions are
2225 cascaded, it's possible that the client-disconnect function would
2226 be called in cases where the related client-connect function returned
2227 an error status. This fix should not alter OpenVPN behavior when
2228 scripts/plugins are not cascaded.
2229 * Changed the hard-to-reproduce "Assertion failed at fragment.c:312"
2230 fatal error to a warning: "FRAG: outgoing buffer is not empty".
2231 Need more info on how to reproduce this one.
2232 * When --duplicate-cn is used, the --ifconfig-pool allocation
2233 algorithm will now allocate the first available IP address.
2234 * When --daemon and --management-hold are used together,
2235 OpenVPN will daemonize before it enters the management hold state.
2237 2005.05.16 -- Version 2.0.1-rc2
2239 * Modified vendor test in openvpn.spec file to match against
2240 "Mandrakesoft" in addition to "MandrakeSoft".
2241 * Using --iroute in a --client-config-dir file while in --dev tap
2242 mode is not currently supported and will produce a warning
2243 message. Fixed bug where in certain cases, in addition to
2244 generating a warning message, this combination of options
2245 would also produce a fatal assertion in mroute.c.
2246 * Pass --auth-user-pass username to server-side plugin without
2247 performing any string remapping (plugins, unlike scripts,
2248 don't get any security benefit from string remapping).
2249 This is intended to fix an issue with openvpn-auth-pam/pam_winbind
2250 where backslash characters in a username ('\') were being remapped
2251 to underscore ('_').
2252 * Updated OpenSSL DLLs in Windows build to 0.9.7g.
2253 * Documented --explicit-exit-notify in man page.
2254 * --explicit-exit-notify seconds parameter defaults to 1 if
2257 2005.04.30 -- Version 2.0.1-rc1
2259 * Fixed bug where certain kinds of fatal errors after
2260 initialization (such as port in use) would leave plugin
2261 processes (such as openvpn-auth-pam) still running.
2262 * Added optional openvpn_plugin_abort_v1 plugin function for
2263 closing initialized plugin objects in the event of a fatal
2264 error by main OpenVPN process.
2265 * When the --remote list is > 1, and --resolv-retry is not
2266 specified (meaning that it defaults to "infinite"), apply the
2267 infinite timeout to the --remote list as a whole, but try each
2268 list item only once before moving on to the next item.
2269 * Added new --syslog directive which redirects output
2270 to syslog without requiring the use of the --daemon or --inetd
2272 * Added openvpn.spec option to allow RPM to be built with support
2273 for passwords read from a file:
2274 rpmbuild -tb [openvpn.x.tar.gz] --define 'with_password_save 1'
2276 2005.04.17 -- Version 2.0
2278 * Fixed minor options string typo in options.c.
2280 2005.04.10 -- Version 2.0-rc21
2282 * Change license description from "GPL Version 2 or (at your
2283 option) any later version" to just "GPL Version 2".
2285 2005.04.04 -- Version 2.0-rc20
2287 * Dag Wieers has put together an OpenVPN/LZO binary RPM set with
2288 excellent distro/version coverage for RH/EL/Fedora, though
2289 using his own SPEC. I modified openvpn.spec to follow some of
2290 the same conventions such as putting sample scripts and doc
2291 files in %doc rather than /usr/share/openvpn.
2292 * Minor change to init scripts to run the user-defined script
2293 /etc/openvpn/openvpn-startup (if it exists) before any OpenVPN
2294 configs are started, and to run /etc/openvpn/openvpn-shutdown
2295 after all OpenVPN configs have been stopped. The
2296 openvpn-startup script can be used for stuff like
2297 insmod tun.o, setting up firewall rules, or starting
2300 2005.03.29 -- Version 2.0-rc19
2302 * Omit additions of routes where the network and
2303 gateway are equal and the netmask is 255.255.255.255.
2304 This can come up if you are using both
2305 server/ifconfig-pool and client-config-dir with
2306 ifconfig-push static addresses for some subset of clients
2307 which directly reference the server IP address as the
2310 2005.03.28 -- Version 2.0-rc18
2312 * Packaged Windows installer with OpenSSL 0.9.7f.
2313 * Built Windows installer with NSIS 2.06.
2315 2005.03.12 -- Version 2.0-rc17
2317 * "MANAGEMENT: CMD" log file output will now only occur
2318 at --verb 7 or greater.
2319 * Added an optional name/value configuration list to
2320 the openvpn-auth-pam plugin module argument list. See
2321 plugin/auth-pam/README for documentation. This is necessary
2322 in order for openvpn-auth-pam to work with queries generated
2323 by arbitrary PAM modules.
2324 * In both auth-pam and down-root plugins, in the forked process,
2325 a read error on the parent process socket is no longer fatal.
2326 * MandrakeSoft liblzo1 RPM only Provides for a 'liblzo1'.
2327 A conditional test of the vendor has been added to
2328 Require the appropriately named 'lzo' (liblzo1 / lzo).
2329 (Tom Walsh - http://openhardware.net)
2332 2005.02.20 -- Version 2.0-rc16
2334 * Fixed bug introduced in rc13 where Windows service wrapper
2335 would be installed with a startup type of Automatic.
2336 This fix restores the previous behavior of installing
2337 with a startup type of Manual.
2339 2005.02.19 -- Version 2.0-rc15
2341 * Added warning when --keepalive is not used in a server
2343 * Don't include OpenSSL md4.h file if we are not building
2344 NTLM proxy support (Waldemar Brodkorb).
2345 * Added easy-rsa/build-key-pkcs12 and
2346 easy-rsa/Windows/build-key-pkcs12.bat scripts
2349 2005.02.16 -- Version 2.0-rc14
2351 * Fixed small memory leak that occurs when --crl-verify
2353 * Upgraded Windows installer and .nsi script to NSIS 2.05
2355 * Changed #include backslash usage in cryptoapi.c to use
2356 forward slashes instead (Gisle Vanem).
2357 * Created easy-rsa/revoke-full to handle revocations in
2358 a single step: (a) revoke crt, (b) regenerate CRL, and
2359 (c) verify that revocation succeeded.
2360 * Renamed easy-rsa/Windows/revoke-key to revoke-full so
2361 that both *nix and Windows scripts are equivalent.
2363 2005.02.11 -- Version 2.0-rc13
2365 * Improve human-readability of local/remote options
2366 diff, when inconsistencies are present.
2367 * For Windows easy-rsa, distribute vars.bat.sample and
2368 openssl.cnf.sample, then copy them to their normal
2369 filenames (without the .sample) when init-config.bat
2370 is run. This is to prevent OpenVPN upgrades from
2371 wiping out vars.bat and openssl.cnf edits.
2372 * Modified service wrapper (Windows) to use a
2373 case-insensitive search when scanning for .ovpn files
2374 in \Program Files\OpenVPN\config. Prior versions
2375 required an all-lower-case .ovpn file extension.
2376 * Miscellaneous service wrapper code cleanup.
2377 * If --user/--group is used on Windows, treat it
2378 as a no-op with a warning (this makes it easier to
2379 distribute the same client config file to Windows
2381 * Warn if --ifconfig-pool-persist is used with
2384 2005.02.05 -- Version 2.0-rc12
2386 * Removed some debugging code inadvertently included
2387 in rc11 which would print the --auth-user-pass
2388 username/password provided by clients in the server
2390 * Client code for cycling through --remote list will
2391 retry the last address which successfully authenticated
2392 before moving on through the list.
2393 * Windows installer will now install sample configuration
2394 files in \Program Files\OpenVPN\sample-configs as well
2395 as generate a start menu shortcut to this directory.
2396 * Minor type change in buffer.[ch] to work around char-type
2397 ambiguity bug. Caused management interface lock-ups on
2398 ARM when building with armv4b-hardhat-linux-gcc 2.95.3.
2400 2005.02.03 -- Version 2.0-rc11
2402 * Windows installer will now install easy-rsa directory
2403 in \Program Files\OpenVPN
2404 * Allow syslog facility to be controlled at compile time,
2405 e.g. -DLOG_OPENVPN=LOG_LOCAL6 (P Kern).
2406 * Changed certain shell scripts in distribution to use
2407 #!/bin/sh rather than #!/bin/bash for better portability.
2408 * If --ifconfig-pool-persist seconds parameter is 0, treat
2409 persist file as an allocation of fixed IP addresses
2410 (previous versions took IP-to-common-name associations
2411 from this list as hints, not mandatory static allocations).
2412 * Fixed bug on *nix where if --auth-user-pass and --log
2413 were used together, the username prompt would be sent to
2414 the log file rather than /dev/tty.
2415 * Spurious text in openvpn.8 detected by doclifter
2417 * Call closelog later on daemon kill so that process
2418 exit message is written to syslog.
2420 2005.01.27 -- Version 2.0-rc10
2422 * When ./configure is run with plugins enabled (the default),
2423 check whether or not dlopen exists in libc before testing
2424 for libdl. This is to fix an issue on FreeBSD and possibly
2425 other OSes which bundle libdl functions in libc.
2426 * On Windows, filter initial WSAEINVAL warning which occurs
2427 on the initial read attempt of an unbound socket.
2428 * The easy-rsa scripts build-key, build-key-pass, and
2429 build-key-server will now chmod the .key file
2430 to 0600. This is in addition to the fact the generated
2431 keys directory has always been similarly protected
2434 2005.01.23 -- Version 2.0-rc9
2436 * Fixed error "ROUTE: route addition failed using
2437 CreateIpForwardEntry ..." on Windows when --redirect-gateway
2438 is used over a RRAS internet link.
2439 * When using --route-method exe on Windows, include the
2440 gateway parameter on route delete commands (Mathias Sundman).
2441 * Try not to do a hard reset (i.e. SIGHUP) when two
2442 SIGUSR1 signals are received in close succession.
2443 * If the push list tries to grow beyond its buffer capacity,
2444 the resulting error will be non-fatal.
2445 * To increase the push list capacity (must be done on both
2446 client and server), increase TLS_CHANNEL_BUF_SIZE in
2447 common.h (default=1024).
2449 2005.01.15 -- Version 2.0-rc8
2451 * Fixed bug introduced in rc7 where options error
2452 "--auth-user-pass requires --pull" might occur even
2453 if --pull was correctly specified.
2454 * Changed management interface code to bind once
2455 to TCP socket, rather than rebinding after every
2457 * Added "disable" directive for client-config-dir
2459 * Windows binary install is now distributed with
2461 * Query the management interface for --http-proxy
2462 username/password if authfile is set to "stdin".
2463 * Added current OpenVPN version number to "Unrecognized
2464 option or missing parameter" error message.
2465 * Added "-extensions server" to "openssl req" command
2466 in easy-rsa/build-key-server (Nir Yeffet).
2468 2005.01.10 -- Version 2.0-rc7
2470 * Fixed bug in management interface which could cause
2471 100% CPU utilization in --proto tcp-server mode
2472 on all *nix OSes except for Linux 2.6.
2473 * --ifconfig-push now accepts DNS names as well as
2475 * Added sanity check errors when --pull or
2476 --auth-user-pass is used in an incorrect mode.
2477 * Updated man page entries for --client-connect and
2479 * Added "String Types and Remapping" section to man
2480 page to consisely document the way which OpenVPN
2481 may convert certain types of characters in strings
2483 * Modified bridging description in HOWTO to emphasize
2484 the fact that bridging allows Windows file and print
2485 sharing without a WINS server (Charles Duffy).
2487 2004.12.20 -- Version 2.0-rc6
2489 * Improved checking for epoll support in ./configure
2490 to fix false positive on RH9 (Jan Just Keijser).
2491 * Made the "MULTI TCP: I/O wait required blocking in
2492 multi_tcp_action, action=7" error nonfatal and replaced
2493 with "MULTI: Outgoing TUN queue full, dropped packet".
2494 So far the issue only seems to occur on Linux 2.2
2495 in --mode server --proto tcp mode. It occurs when
2496 the TUN/TAP driver locks up and refuses to accept
2497 new packet writes for a second or more.
2498 * Fixed bug where if a --client-config-dir file tried
2499 to include another file using "config", and if that
2500 include failed, OpenVPN would abort with a fatal
2501 error. Now such inclusion failures will be logged
2502 but are no longer fatal.
2503 * Global changes to the way that packet buffer alignment
2504 is handled. Previously we didn't care about alignment
2505 and took care, when handling 16 and 32 bit words
2506 in buffers, to always use alignment-safe transfers.
2507 This approach appears to be inadequate on some
2508 architectures such as alpha. The new approach is
2509 to initialize packet buffers in a way that anticipates
2510 how component structures will be allocated within
2511 them, to maintain correct alignment.
2512 * Added --dhcp-option DISABLE-NBT to disable NetBIOS
2513 over TCP (Jan Just Keijser).
2514 * Added --http-proxy-option directive for controlling
2515 miscellaneous HTTP proxy options.
2516 * Management state will no longer transition to "WAIT"
2517 during TLS renegotiations.
2519 2004.12.16 -- Version 2.0-rc5
2521 * The --client-config-dir option will now try to open
2522 a default file called "DEFAULT" if no file matching
2523 the common name of the incoming client was found.
2524 * The --client-connect script/plugin can now veto client
2525 authentication by returning a failure code.
2526 * The --learn-address script/plugin can now prevent a
2527 client-instance/address association from being learned
2528 by returning a failure code.
2529 * Changed RPM group in .spec file to Applications/Internet.
2531 2004.12.14 -- Version 2.0-rc4
2533 * SuSE only -- Fixed interaction between openvpn.spec and
2534 suse/openvpn.init where the .spec file was writing the
2535 OpenVPN binary to a different location than where the
2536 .init script was referencing it (Stefan Engel).
2537 * Solaris only -- Split Solaris ifconfig command into two
2538 parts (Jan Just Keijser).
2539 * Some cleanup in add_option().
2540 * Better error checking on input dotted quad IP addresses.
2541 * Verify that --push argument is quoted, if there is
2543 * More miscellaneous option sanity checks.
2545 2004.12.13 -- Version 2.0-rc3
2547 * On Windows, when --log or --log-append is used,
2548 save the original stderr for username and password
2550 * Fixed a bug introduced in the late 2.0 betas where
2551 if a "verb" parameter >= 16 was used, it would be
2552 ignored and the actual verb level would remain at 1.
2553 * Fixed a bug mostly seen on OS X where --management-hold
2554 or --management-query-passwords would cause the management
2555 interface to be unresponsive to incoming client connections.
2556 * Trigger an options error if one of the management-modifying
2557 options is used without "management" itself.
2559 2004.12.12 -- Version 2.0-rc2
2561 * Amplified warnings in documentation about possible
2562 man-in-the-middle attack when clients do not properly
2563 verify server certificate. Changes to easy-rsa README,
2564 FAQ, HOWTO, man page, and sample client config file.
2565 * Added a warning message if --tls-client or --client
2566 is used without also specifying one of either
2567 --ns-cert-type, --tls-remote, or --tls-verify.
2568 * status_open() fixes for MSVC builds (Blaine Fleming).
2569 * Fix attempt of "ntlm.c:55: error: `des_cblock' undeclared"
2570 compiler error which has been reported on some platforms.
2571 * The openvpn.spec file for rpmbuild has several
2572 new build-time options. See comments in the file.
2573 * Plugins are now built and packaged in the RPM and
2574 will be saved in /usr/share/openvpn/plugin/lib.
2575 * Added --management-hold directive to start OpenVPN
2576 in a hibernating state until released by the
2577 management interface. Also added "hold" command
2578 to the management interface.
2580 2004.12.07 -- Version 2.0-rc1
2582 * openvpn.spec workaround for SuSE confusion regarding
2583 /etc/init.d vs. /etc/rc.d/init.d (Stefan Engel).
2585 2004.12.05 -- Version 2.0-beta20
2587 * The ability to read --askpass and --auth-user-pass
2588 passwords from a file has been disabled by default.
2589 To re-enable, use ./configure --enable-password-save.
2590 * Added additional pre-connected states to management
2591 interface. See management/management-notes.txt
2593 * State history is now recorded by the management
2594 interface, and the "state" command now works like
2595 the log or echo commands.
2596 * State history and real-time state change notifications
2597 are now prepended with an integer unix timestamp.
2598 * Added --http-proxy-timeout option, previously
2599 the timeout was hardcoded to 5 seconds.
2601 2004.12.02 -- Version 2.0-beta19
2603 * Fixed bug in management interface line termination
2604 where output lines incorrectly contained a \00 char
2605 after the customary \0d \0a.
2606 * Fixed bug introduced in beta18 where Windows version
2607 would segfault on options errors.
2608 * Fixed bug in management interface where an empty
2609 quoted string ("") entered as a parameter would cause
2611 * Fixed bug where --resolv-retry was not working
2612 properly with multiple --remote hosts.
2613 * Added additional ./configure options to reduce
2614 executable size for embedded applications.
2615 See ./configure --help.
2617 2004.11.28 -- Version 2.0-beta18
2619 * Added management interface. See new --management-*
2620 options or the full management interface documentation
2621 in management/management-notes.txt in the tarball.
2622 Management interface inclusion can be disabled by
2623 ./configure --disable-management.
2624 * Added two new plugin modules: auth-pam and down-root.
2625 Auth-pam supports pam-based authentication using a
2626 split privilege execution model, while down-root enables
2627 a down script to be executed with root privileges, even
2628 when --user/--group is used to drop root privileges.
2629 See the plugin directory in the tarball for READMEs,
2630 source code, and Makefiles.
2631 * Plugin developers should note that some changes were
2632 made to the plugin interface since beta17. See
2633 openvpn-plugin.h for details.
2634 Plugin interface inclusion can be disabled with
2635 ./configure --disable-plugins
2636 * Added easy-rsa/build-key-server script which will
2637 build a certificate with with nsCertType=server.
2638 * Added --ns-cert-type option for verification
2639 of nsCertType field in peer certificate.
2640 * If --fragment n is specified and --mssfix is specified
2641 without a parameter, default --mssfix to n. This restores
2642 the 1.6 behavior when using --mssfix without a parameter.
2643 * Fixed SSL context initialization bug introduced in beta14
2644 where this error might occur on restarts: "Cannot load
2645 certificate chain ... PEM_read_bio:no start line".
2647 2004.11.11 -- Version 2.0-beta17
2649 * Changed default port number to 1194 per IANA official
2650 port number assignment.
2651 * Added --plugin directive which allows compiled
2652 modules to intercept script callbacks. See
2653 plugin folder in tarball for more info.
2654 * Fixed bug introduced in beta12 where --key-method 1
2655 authentications which should have succeeded would fail.
2656 * Ignore SIGUSR1 during DNS resolution.
2657 * Added SuSE support to openvpn.spec (Umberto Nicoletti).
2658 * Fixed --cryptoapicert SUBJ: parsing bug (Peter 'Luna'
2661 2004.11.07 -- Version 2.0-beta16
2663 * Modified sample-scripts/auth-pam.pl to get username
2664 and password from OpenVPN via a file rather than
2665 via environmental variables.
2666 * Added bytes_sent and bytes_received environmental
2667 variables to be set prior to client-disconnect script.
2668 * Changed client virtual IP derivation precedence:
2669 (1) use --ifconfig-push directive from --client-connect
2670 script, (2) use --ifconfig-push directive from
2671 --client-config-dir, and (3) use --ifconfig-pool
2673 * If a --client-config-dir file specifies --ifconfig-push,
2674 it will be visible to the --client-connect-script in
2675 the ifconfig_pool_remote_ip environmental variable.
2676 * For tun-style tunnels, the ifconfig_pool_local_ip
2677 environmental variable will be set, while for
2678 tap-style tunnels, the ifconfig_pool_netmask variable
2680 * Added intelligence to autoconf script to test
2681 compiler for the accepted form of zero-length arrays.
2682 * Fixed a bug introduced in beta12 where --ip-win32
2683 netsh would fail if --dev-node was not explicitly
2685 * --ip-win32 netsh will now work on hidden adapters.
2686 * Fix attempt of "Assertion failed at crypto.c:149".
2687 This assertion has also been reported on 1.x with a
2688 slightly different line number. The fix is twofold:
2689 (1) In previous releases, --mtu-test may trigger this
2690 assertion -- this bug has been fixed. (2) If something
2691 else causes the assertion to be thrown, don't panic,
2692 just output a nonfatal warning to the log and drop
2693 the packet which generated the error.
2694 * Support TAP interfaces on Mac OS X (Waldemar Brodkorb).
2695 * Added --echo directive.
2696 * Added --auth-nocache directive.
2698 2004.10.28 -- Version 2.0-beta15
2700 * Changed environmental variable character classes
2701 so that names must consist of alphanumeric or
2702 underbar chars and values must consist of printable
2703 characters. Illegal chars will be deleted.
2704 Versions prior to 2.0-beta12 were more restrictive
2705 and would map spaces to '.'.
2706 * On Windows, when the TAP adapter fails to
2707 initialize with the correct IP address, output
2708 "Initialization Sequence Completed with Errors"
2709 to the console or log file.
2710 * Added a warning when user/group/chroot is used
2711 without persist-tun and persist-key.
2712 * Added cryptoapi.[ch] to tarball and source zip.
2713 * --tls-remote option now works with common name
2714 prefixes as well as with the full X509 subject
2715 string. This is a useful alternative to using
2716 a CRL on the client.
2717 * common names associated with a static
2718 --ifconfig-push setting will no longer leave
2719 any state in the --ifconfig-pool-persist file.
2720 * Hard TLS errors (TLS handshake failed) will now
2721 trigger either a SIGUSR1 signal by default
2722 or SIGTERM (if --tls-exit is specified). In TCP
2723 mode, all TLS errors are considered to be hard.
2724 In server mode, the signal will be local to the
2726 * Added method parameter to --auth-user-pass-verify
2727 directive to select whether username/password
2728 is passed to script via environment or a temporary
2730 * Added --status-version option to control format
2731 of --status file. The --mode server
2732 --status-version 2 format now includes a line
2733 type token, the virtual IP address is shown
2734 in the client list (even in --dev tap mode),
2735 and the integer time_t value is shown anywhere
2736 an ascii-formatted time/date is also shown.
2737 * Added --remap-usr1 directive which can be used
2738 to control whether internally or externally
2739 generated SIGUSR1 signals are remapped to
2740 SIGHUP (restart without persisting state) or
2742 * When running as a Windows service (using
2743 --service option), check the exit event before
2744 and after reading one line of input from
2745 stdin, when reading username/password info.
2746 * For developers: Extended the --gremlin function
2747 to better stress-test the new 2.0 features,
2748 added Valgrind support on Linux and Dmalloc
2751 2004.10.19 -- Version 2.0-beta14
2753 * Fixed a bug introduced in Beta12 that would occur
2754 if you use a --client-connect script without also
2756 * Fixed a bug introduced in Beta12 where a learn-address
2757 script might segfault on the delete method.
2758 * Added Crypto API support in Windows version via
2759 the --cryptoapicert option (Peter 'Luna' Runestig).
2761 2004.10.18 -- Version 2.0-beta13
2763 * Fixed an issue introduced in Beta12 where the private
2764 key password would not be prompted for unless --askpass
2765 was explicitly specified in the config.
2767 2004.10.17 -- Version 2.0-beta12
2769 * Added support for username/password-based authentication.
2770 Clients can now authentication themselves with the server
2771 using either a certificate, a username/password, or both.
2772 New directives: --auth-user-pass, --auth-user-pass-verify,
2773 --client-cert-not-required, and --username-as-common-name.
2774 * Added NTLM proxy patch (William Preston).
2775 * Added --ifconfig-pool-linear server flag to allocate
2776 individual tun addresses for clients rather than /30
2777 subnets (won't work with Windows clients).
2778 * Modified --http-proxy code to cache username/password
2780 * Modified --http-proxy code to read username/password
2781 from the console when the auth file is given as "stdin".
2782 * Modified --askpass to take an optional filename argument.
2783 * --persist-tun and --persist-key now work in client mode
2784 and can be pushed to clients as well.
2785 * Added --ifconfig-pool-persist directive, to maintain
2786 ifconfig-pool info in a file which is persistent across
2787 daemon instantiations.
2788 * --user and --group privilege downgrades as well as
2789 --chroot now also work in client mode (the
2790 dowgrade/chroot will be delayed until the initialization
2791 sequence is completed).
2792 * Added --show-engines standalone directive to show
2793 available OpenSSL crypto accelerator engine support.
2794 * --engine directive now accepts an optional engine-ID
2795 parameter to control which engine is used.
2796 * "Connection reset, restarting" log message now shows
2797 which client is being reset.
2798 * Added --dhcp-pre-release directive in Windows version.
2799 * Second parm to --ip-win32 can be "default", e.g.
2800 --ip-win32 dynamic default 60.
2801 * Fixed documentation bug regarding environmental
2802 variable settings for --ifconfig-pool IP addresses.
2803 The correct environmental variable names are:
2804 ifconfig_pool_local_ip and ifconfig_pool_remote_ip.
2805 * ifconfig_pool_local_ip and ifconfig_pool_remote_ip
2806 environmental variables are now passed to the
2807 client-disconnect script.
2808 * In server mode, environmental variables are now scoped
2809 according to the client they are associated with,
2810 to solve the problem of "crosstalk" between different
2811 client's environmental variable sets.
2812 * Added --down-pre flag to cause --down script to be
2813 called before TUN/TAP close (rather than after).
2814 * Added --tls-exit flag which will cause OpenVPN
2815 to exit on any TLS errors.
2816 * Don't push a route to a client if it exactly
2817 matches an iroute (this lets you push routes to
2818 all clients, and OpenVPN will automatically remove
2819 the route from the route push list only for that client
2820 which the route actually belongs to).
2821 * Made '--resolv-retry infinite' the default.
2822 --resolv-retry can be disabled by using a parameter of 0.
2823 * For clients which plan to pull config info from server,
2824 set an initial default ping-restart of 60 seconds.
2825 * Optimized mute code to lessen the load on the processor
2826 when messages are being muted at a higher frequency.
2827 * Made route log messages non-mutable.
2828 * Silence the Linux "No buffer space available" message.
2829 * Added miscellaneous additional option sanity checks.
2830 * Added Windows version of easy-rsa scripts in
2831 easy-rsa/Windows directory (Andrew J. Richardson).
2832 * Added NetBSD route patch (Ed Ravin).
2833 * Added OpenBSD patch for TAP + --redirect-gateway
2834 (Waldemar Brodkorb).
2835 * Directives which prompt for a username and/or password
2836 will now work with --daemon (OpenVPN will prompt
2838 * Warn if CRL is from a different issuer than the
2839 issuer of the peer certificate (Bernhard Weisshuhn).
2840 * Changed init script chkconfig parameters to start
2841 OpenVPN daemon(s) before NFS.
2842 * Bug fix attempt of "too many I/O wait events" which occurs
2843 on OSes which prefer select() over poll() such as Mac OS X.
2844 * Added --ccd-exclusive flag. This flag will require, as a
2845 condition of authentication, that a connecting client has
2846 a --client-config-dir file.
2847 * TAP-Win32 open code will attempt to open a free adapter
2848 if --dev-node is not specified (Mathias Sundman).
2849 * Resequenced --nice and --chroot ordering so that --nice
2851 * Added --suppress-timestamps flag (Charles Duffy).
2852 * Source code changes to allow compilation by MSVC
2853 (Peter 'Luna' Runestig).
2854 * Added experimental --fast-io flag which optimizes
2855 TUN/TAP/UDP writes on non-Windows systems.
2857 2004.08.18 -- Version 2.0-beta11
2859 * Added --server, --server-bridge, --client, and
2860 --keepalive helper directives. See client.conf
2861 and server.conf in sample-config-files for sample
2862 configurations which use the new directives.
2863 * On Windows, added --route-method to control
2864 whether IP Helper API or route.exe is used
2865 to add/delete routes.
2866 * On Windows, added a second parameter to
2867 --route-delay to control the maximum time period
2868 to wait for the TAP-Win32 adapter to come up
2869 before adding routes.
2870 * Fixed bug in Windows version where configurations
2871 which omit --ifconfig might fail to recognize when
2872 the TAP adapter is up.
2873 * Proxy connection failures will now retry according
2874 to the --connect-retry parameter.
2875 * Fixed --dev null handling on Windows so that TLS
2876 loopback test described in INSTALL file works
2877 correctly on Windows.
2878 * Added "Initialization Sequence Completed" message
2879 after all initialization steps have been completed
2880 and the VPN can be considered "up".
2881 * Better sanity-checking on --ifconfig-pool parameters.
2882 * Added --tcp-queue-limit option to control
2883 TUN/TAP -> TCP socket overflow.
2884 * --ifconfig-nowarn flag will now silence general
2885 warnings about possible --ifconfig address
2886 conflicts, including the warning about --ifconfig
2887 and --remote addresses being in same /24 subnet.
2888 * Fixed case where server mode did not correctly
2889 identify certain types of ethernet multicast packets
2891 * Added --explicit-exit-notify option (experimental).
2893 2004.08.02 -- Version 2.0-beta10
2895 * Fixed possible reference after free of option strings
2896 after a restart, bug was introduced in beta8.
2897 * Fixed segfault at route.c:919 in the beta9
2898 Windows version that was being caused by indirection
2899 through a NULL pointer.
2900 * Mistakenly built debug version of TAP-Win32 driver
2901 for beta9. Beta10 has correct release build.
2903 2004.07.30 -- Version 2.0-beta9
2905 * Fixed --route issue on Windows that was introduced with
2906 the new beta8 route implementation based on the
2909 2004.07.27 -- Version 2.0-beta8
2911 * Added TCP support in server mode.
2912 * Added PKCS #12 support (Mathias Sundman).
2913 * Added patch to make revoke-crt and make-crl work
2914 seamlessly within the easy-rsa environment (Jan Kiszka).
2915 * Modified --mode server ethernet bridge code to forward
2916 special IEEE 802.1d MAC Groups, i.e. 01:80:C2:XX:XX:XX.
2917 * Added --dhcp-renew and --dhcp-release flags to Windows
2918 version. Normally DHCP renewal and release on the TAP
2919 adapter occurs automatically under Windows, however
2920 if you set the TAP-Win32 adapter Media Status property
2921 to "Always Connected", you may need these flags.
2922 * Added --show-net standalone flag to Windows version to
2923 show OpenVPN's view of the system adapter and routing
2925 * Added --show-net-up flag to Windows version to output
2926 the system routing table and network adapter list to
2927 the log file after the TAP-Win32 adapter has been brought
2928 up and any routes have been added.
2929 * Modified Windows version to add routes using the IP Helper
2930 API rather than by calling route.exe.
2931 * Fixed bug where --route-up script was not being called
2932 if no --route options were specified.
2933 * Added --mute-replay-warnings to suppress packet replay
2934 warnings. This is a common false alarm on WiFi nets.
2935 * Added "def1" flag to --redirect-gateway option to override
2936 the default gateway by using 0.0.0.0/1 and 128.0.0.0/1
2937 rather than 0.0.0.0/0. This has the benefit of overriding
2938 but not wiping out the original default gateway.
2939 (Thanks to Jim Carter for pointing out this idea).
2940 * You can now run OpenVPN with a single config file argument.
2941 For example, you can now say "openvpn config.conf"
2942 rather than "openvpn --config config.conf".
2943 * On Windows, made --route and --route-delay more adaptive
2944 with respect to waiting for interfaces referenced by the
2945 route destination to come up. Routes added by --route
2946 should now be added as soon as the interface comes up,
2947 rather than after an obligatory 10 second delay. The
2948 way this works internally is that --route-delay now
2949 defaults to 0 on Windows. Previous versions would
2950 wait for --route-delay seconds then add the routes.
2951 This version will wait --route-delay seconds and then
2952 test the routing table at one second intervals for the
2953 next 30 seconds and will not add the routes until they
2954 can be added without errors.
2955 * On Windows, don't setsockopt SO_SNDBUF or SO_RCVBUF by
2956 default on TCP/UDP socket in light of reports that this
2957 action can have undesirable global side effects on the
2958 MTU settings of other adapters. These parameters can
2959 still be set, but you need to explicitly specify
2960 --sndbuf and/or --rcvbuf.
2961 * Added --max-clients option to limit the maximum number
2962 of simultaneously connected clients in server mode.
2963 * Added error message to illuminate shell escape gotcha when
2964 single backslashes are used in Windows path names.
2965 * Added optional netmask parm to --ifconfig-pool.
2966 * Fixed bug where http-proxy connect retry attempts were
2967 incorrectly going to the remote OpenVPN server,
2968 not to the HTTP proxy server.
2970 2004.06.29 -- Version 2.0-beta7
2972 * Fixed bug in link_socket_verify_incoming_addr() which
2973 under certain circumstances could have caused --float
2974 behavior even if --float was not specified.
2975 * --tls-auth option now works with --mode server.
2976 All clients and the server should use the same
2977 --tls-auth key when operating in client/server mode.
2978 * Added --engine option to make use of OpenSSL-supported
2979 crypto acceleration hardware.
2980 * Fixed some high verbosity print format size issues
2981 in event.c for 64 bit platforms (Janne Johansson).
2982 * Made failure to open --log or --log-append file
2985 2004.06.23 -- Version 2.0-beta6
2987 * Fixed Windows installer to intelligently put
2988 up a reboot dialog only if tapinstall tells
2989 us that it's really necessary.
2990 * Fixed "Assertion failed at fragment.c:309"
2991 bug when --mode server and --fragment are used
2993 * Ignore HUP, USR1, and USR2 signals during
2994 initialization. Prior versions would abort.
2995 * Fixed bug on OS X: "Assertion failed at event.c:406".
2996 * Added --service option to Windows version, for use
2997 when OpenVPN is being programmatically instantiated
2998 by another process (see man page for info).
2999 * --log and --log-append options now work on Windows.
3000 * Update OpenBSD INSTALL notes (Janne Johansson).
3001 * Enable multicast on tun interface when running on
3002 OpenBSD (Pavlin Radoslavov).
3003 * Fixed recent --test-crypto breakage, where options
3004 such as --cipher were not being parsed correctly.
3005 * Modified options compatibility string by removing
3006 ifconfig substring if it is empty. Incremented
3007 options compatibility string version number to 4.
3008 * Fixed typo in --tls-timeout option parsing
3011 2004.06.13 -- Version 2.0-beta5
3013 * Fixed rare --mode server crash that could occur
3014 if data was being routed to a client at
3015 high bandwidth at the precise moment that the
3016 client instance object on the server was being
3018 * Fixed issue on machines which have epoll.h and
3019 the epoll_create glibc call defined, but which
3020 don't actually implement epoll in the kernel.
3021 OpenVPN will now gracefully fall back to the
3022 poll API in this case.
3023 * Fixed Windows bug which would cause the following
3024 error in a --mode server --dev tap configuration:
3025 "resource limit WSA_MAXIMUM_WAIT_EVENTS has been
3027 * Added CRL (certificate revocation list) management
3028 scripts to easy-rsa directory (Jon Bendtsen).
3029 * Do a better job of getting the ifconfig component
3030 of the options consistency check to work correctly
3031 when --up-delay is used.
3032 * De-inlined some functions which were too complex
3033 to be inlined anyway with gcc.
3034 * If a --dhcp-option option is pushed to a non-windows
3035 client, the option will be saved in the client's
3036 environment before the --up script is called, under
3037 the name "foreign_option_{n}".
3038 * Added --learn-address script (see man page) which
3039 allows for firewall access through the VPN to be
3040 controlled based on the client common name.
3041 * In mode --server mode, when a client connects to
3042 the server, the server will disconnect any
3043 still-active clients which use the same common
3044 name. Use --duplicate-cn flag to revert to
3045 previous behavior of allowing multiple clients
3046 to concurrently connect with the same common name.
3048 2004.06.08 -- Version 2.0-beta4
3050 * Fixed issue with beta3 where Win32 service wrapper
3051 was keying off of old TAP HWID as a dependency. To
3052 ensure that the new service wrapper is correctly
3053 installed, the Windows install script will uninstall
3054 the old wrapper before installing the new one,
3055 causing a reset of service properties.
3056 * Fixed permissions issue on --status output file,
3057 with default access permissions of owner read/write
3058 only (default permissions can be changed of course with
3061 2004.06.05 -- Version 2.0-beta3
3063 * More changes to TAP-Win32 driver's INF file which
3064 affects the placement of the driver in the Windows
3065 device namespace. This is done to work around an
3066 apparent bug in Windows when short HWIDs are used,
3067 and will also ease the upgrade from 1.x to 2.0 by
3068 reducing the chances that a reboot will be needed
3069 on upgrade. Like beta2, this upgrade will
3070 delete existing TAP-Win32 interfaces, and reinstall
3071 a single new interface with default properties.
3072 * Major rewrite of I/O event wait layer in the style
3073 of libevent. This is a precursor to TCP support
3075 * New feature: --status. Outputs a SIGUSR2-like
3076 status summary to a given file, updated once
3077 per n seconds. The status file is comma delimited
3078 for easy machine parsing.
3079 * --ifconfig-pool now remembers common names and
3080 will try to assign a consistent IP to a given
3081 common name. Still to do: persist --ifconfig-pool
3082 memory across restarts by saving state in file.
3083 * Fixed bug in event timer queue which could cause
3084 recurring timer events such as --ping to not
3085 correctly schedule again after firing. This in
3086 turn would cause spurrious ping restarts and possible
3087 connection outages. Thanks to Denis Vlasenko for
3089 * Possible fix to reported bug where --daemon argument
3090 was not printing to syslog correctly after restart.
3091 * Fixed bug where pulling --route or --dhcp-option
3092 directives from a server would problematically
3093 interact with --persist-tun on the client.
3094 * Updated contrib/multilevel-init.patch (Farkas Levente).
3095 * Added RPM build option to .spec and .spec.in files
3096 to optionally disable LZO inclusion (Ian Pilcher).
3097 * The latest MingW runtime and headers define
3098 'ssize_t', so a patch is needed (Gisle Vanem).
3100 2004.05.14 -- Version 2.0-beta2
3102 * Fixed signal handling bug in --mode server, where
3103 SIGHUP and SIGUSR1 were treated as SIGTERM.
3104 * Changed the TAP-Win32 HWID from "TAP" to "TAPDEV".
3105 Apparently the larger string may work around
3106 a problem where the TAP adapter is sometimes missing
3107 from the network connections panel, especially under
3108 XP SP2. Also note that installing this upgrade will
3109 uninstall any pre-existing TAP-Win32 adapters, and then
3110 install a single new adapter, meaning that old adapter
3111 properties will be lost. Thanks to Md5Chap for solving
3113 * For --mode server --dev tap, the options --ifconfig and
3114 --ifconfig-pool are now optional. This allows address
3115 assignment via DHCP or use of a TAP VPN without
3116 IP support, as has always been possible with 1.x.
3117 * Fixed bug where --ifconfig may not work correctly on
3119 * Added 'local' flag to --redirect-gateway for use on
3120 networks where both OpenVPN daemons are connected
3121 to a shared subnet, such as wireless.
3123 2004.05.09 -- Version 2.0-beta1
3125 * Unchanged from test29 except for version number
3128 2004.05.08 -- Version 2.0-test29
3130 * Modified --dev-node on Windows to accept a TAP-Win32
3131 GUID name. In addition, --show-adapters will now
3132 display the high-level name and GUID of each adapter.
3133 This is an attempt to work around an issue in Windows
3134 where sometimes the TAP-Win32 adapter installs correctly
3135 but has no icon in the network connections control
3136 panel. In such cases, being able to specify
3137 --dev-node {TAP-GUID} can work around the missing icon.
3139 2004.05.07 -- Version 2.0-test28
3141 * Fixed bug which could cause segfault on program
3142 shutdown if --route and --persist-tun are used
3145 2004.05.06 -- Version 2.0-test27
3147 * Fixed bug in close_instance() which might cause
3148 memory to be accessed after it had already been freed.
3149 * Fixed bug in verify_callback() that might have
3150 caused uninitialized data to be referenced.
3151 * --iroute now allows full CIDR subnet routing.
3152 * In "--mode server --dev tun" usage, source addresses
3153 on VPN packets coming from a particular client must
3154 be associated with that client in the OpenVPN internal
3157 2004.04.28 -- Version 2.0-test26
3159 * Optimized broadcast path in multi-client mode.
3160 * Added socket buffer size options --rcvbuf & --sndbuf.
3161 * Configure Linux tun/tap driver to use a more sensible
3162 txqueuelen default. Also allow explicit setting
3163 via --txqueuelen option (Harald Roelle).
3164 * The --remote option now allows the port number
3165 to be specified as the second parameter. If
3166 unspecified, the port number defaults to the
3168 * Multiple --remote options on the client can now be
3169 specified for load balancing and failover. The
3170 --remote-random flag can be used to initially randomize
3171 the --remote list for basic load balancing.
3172 * If a remote DNS name resolves to multiple DNS addresses,
3173 one will be chosen by random as a kind of basic
3174 load-balancing feature if --remote-random is used.
3175 * Added --connect-freq option to control maximum
3176 new connection frequency in multi-client mode.
3177 * In multi-client mode, all syslog messages associated
3178 with a specific client now include a client-ID prefix.
3179 * For Windows, use a gettimeofday() function based
3180 on QueryPerformanceCounter (Derek Burdick).
3181 * Fixed bug in interaction between --key-method 2
3182 and DES ciphers, where dynamic keys would be generated
3183 with bad parity and then be rejected.
3185 2004.04.17 -- Version 2.0-test24
3187 * Reworked multi-client broadcast handling.
3189 2004.04.13 -- Version 2.0-test23
3191 * Fixed bug in --dev tun --client-to-client routing.
3192 * Fixed a potential deadlock in --pull.
3193 * Fixed a problem with select() usage which could
3194 cause a repeating sequence of "select : Invalid
3197 2004.04.11 -- Version 2.0-test22
3199 * Fixed bug where --mode server + --daemon was
3200 prematurely closing syslog connection.
3201 * Added support for --redirect-gateway on Mac OS X
3203 * Minor changes to TAP-Win32 driver based on feedback
3204 from the NDISTest tool.
3206 2004.04.11 -- Version 2.0-test21
3208 * Optimizations in multi-client server event loop.
3210 2004.04.10 -- Version 2.0-test20
3212 * --mode server capability now works with either tun
3213 or tap interfaces. When used with tap interfaces,
3214 OpenVPN will internally bridge all client tap
3215 interfaces with the server tap interface.
3216 * Connecting clients can now have a client-specific
3217 configuration on the server, based on the client
3218 common name embedded in the client certificate.
3219 See --client-config-dir and --client-connect.
3220 These options can be used to configure client-specific
3222 * Added an option --client-to-client that enables
3223 internal client-to-client routing or bridging.
3224 Otherwise, clients will only "see" the server,
3225 not other connected clients.
3226 * Fixed bug in route scheduling which would have caused
3227 --mode server to not work on Windows in test18
3228 and test19 with the sample config file.
3229 * Man page is up to date with all new options.
3230 * OpenVPN 2.0 release notes on web site updated
3231 with tap-style tunnel examples.
3233 2004.04.02 -- Version 2.0-test19
3235 * Fixed bug where routes pushed from server were
3236 not working correctly on Windows clients.
3237 * Added Mac OS X route patch (Jeremy Apple).
3239 2004.03.30 -- Version 2.0-test18
3241 * Minor fixes + Windows self-install modified
3242 to use OpenSSL 0.9.7d.
3244 2004.03.29 -- Version 2.0-test17
3246 * Fixed some bugs related to instance timeout and deletion.
3247 * Extended --push/--pull option to support additional
3250 2004.03.28 -- Version 2.0-test16
3252 * Successful test of --mode udp-server, --push,
3253 --pull, and --ifconfig-pool with server on
3254 Linux 2.4 and clients on Linux and Windows.
3256 2004.03.25 -- Version 2.0-test15
3258 * Implemented hash-table lookup of client instances
3259 based either on remote UDP address/port or remote
3261 * Implemented a randomized binary tree based
3262 scheduler for scalably scheduling a large number
3263 of client instance events. Uses the treap
3264 data structure and node rotation algorithm
3265 to keep the tree balanced.
3266 * Initial implementation of ifconfig-pool.
3267 * Made --key-method 2 the default.
3269 2004.03.20 -- Version 2.0-test14
3271 * Implemented --push and --pull.
3273 2004.03.20 -- Version 2.0-test13
3275 * Reduced struct tls_multi and --single-session
3277 * Modified --single-session flag to be used
3278 in multi-client UDP server client instances.
3280 2004.03.19 -- Version 2.0-test12
3282 * Added the key multi-client UDP server options,
3283 --mode, --push, --pull, and --ifconfig-pool.
3284 * Revamped GC (garbage collection) code to not rely
3286 * Modifications to thread.[ch] to allow a more
3287 flexible thread model.
3289 2004.03.16 -- Version 2.0-test11
3291 * Moved all timer code to interval.h, added new file
3293 * Fixed missing include.
3295 2004.03.16 -- Version 2.0-test10
3297 * More TAP-Win32 fixes.
3298 * Initial debugging and testing of multi.[ch].
3300 2004.03.14 -- Version 2.0-test9
3302 * Branch merge with 1.6-rc3
3303 * More point-to-multipoint work in multi.[ch].
3304 * Major TAP-Win32 driver restructuring to use
3305 NdisMRegisterDevice instead of
3306 IoCreateDevice/IoCreateSymbolicLink.
3307 * Changed TAP-Win32 symbolic links to use \DosDevices\Global\
3309 * In the majority of cases, TAP-Win32 should now be
3310 able to install and uninstall on Win2K without requiring
3312 * TAP-Win32 MAC address can now be explicitly set in the
3313 adapter advanced properties page.
3315 2004.03.04 -- Version 2.0-test8
3317 * Branch merge with 1.6-rc2.
3319 2004.03.03 -- Version 2.0-test7
3321 * Branch merge with 1.6-rc1.2.
3323 2004.03.02 -- Version 2.0-test6
3325 * Branch merge with 1.6-rc1.
3327 2004.03.02 -- Version 2.0-test5
3329 * Move Socks5 UDP header append/remove to socks.c, and is
3330 called from forward.c.
3331 * Moved verify statics from ssl.c into struct tls_session.
3332 * Wrote multi.[ch] to handle top level of point-to-multipoint
3334 * Wrote some code to allow a struct link_socket in a child context
3335 to be slaved to the parent context.
3336 * Broke up packet read and process functions in forward.c
3337 (from socket or tuntap) into separate functions for read
3338 and process, so that point-to-point and point-to-multipoint can
3339 share the same code.
3340 * Expand TLS control channel to allow the passing of configuration
3342 * Wrote mroute.[ch] to handle internal packet routing for
3343 point-to-multipoint mode.
3345 2004.02.22 -- Version 2.0-test3
3347 * Initial work on UDP multi-client server.
3348 * Branch merge of 1.6-beta7
3350 2004.02.14 -- Version 2.0-test2
3352 * Refactorization of openvpn.c into openvpn.[ch]
3353 init.[ch] forward.[ch] forward-inline.h
3354 occ.[ch] occ-inline.h ping.[ch] ping-inline.h
3355 sig.[ch]. Created a master per-tunnel
3356 struct context in openvpn.h.
3357 * Branch merge of 1.6-beta6.2
3359 2003.11.06 -- Version 2.0-test1
3361 * Initial testbed for 2.0.
3363 2004.05.09 -- Version 1.6.0
3365 * Unchanged from 1.6-rc4 except for version number
3368 2004.04.01 -- Version 1.6-rc4
3370 * Made minor customizations to devcon and
3371 renamed as tapinstall.exe for Windows version.
3372 * Fixed "storage size of `iv' isn't known" build
3374 * OpenSSL 0.9.7d bundled with Windows self-install.
3376 2004.03.13 -- Version 1.6-rc3
3378 * Minor Windows fixes for --ip-win32 dynamic, relating to
3379 the way the TAP-Win32 driver responds to a DHCP request
3380 from the Windows DHCP client.
3381 * The net_gateway environmental variable wasn't being
3382 set correctly for called scripts (Paul Zuber).
3383 * Added code to determine the default gateway on FreeBSD,
3384 allowing the --redirect-gateway option to work
3385 (Juan Rodriguez Hervella).
3387 2004.03.04 -- Version 1.6-rc2
3389 * Fixed bug in Windows version where the NetBIOS node-type
3390 DHCP option might have been passed even if it was not
3392 * Fixed bug in Windows version introduced in 1.6-rc1, where
3393 DHCP timeout would be set to 0 seconds if --ifconfig option
3394 was used and --ip-win32 option was not explicitly specified.
3395 * Added some new --dhcp-option types for Windows version.
3397 2004.03.02 -- Version 1.6-rc1
3399 * For Windows, make "--ip-win32 dynamic" the default.
3400 * For Windows, make "--route-delay 10" the default
3401 unless --ip-win32 dynamic is not used or --route-delay
3402 is explicitly specified.
3403 * L_TLS mutex could have been left in a locked state
3404 for certain kinds of TLS errors.
3406 2004.02.22 -- Version 1.6-beta7
3408 * Allow scheduling priority increase (--nice) together
3409 with UID/GID downgrade (--user/--group).
3410 * Code that causes SIGUSR1 restart on TLS errors in TCP
3411 mode was not activated in pthread builds.
3412 * Save the certificate serial number in an environmental
3413 variable called tls_serial_{n} prior to calling the
3414 --tls-verify script. n is the current cert chain level.
3415 * Added NetBSD IPv6 tunnel capability (also requires
3416 a kernel patch) (Horst Laschinsky).
3417 * Fixed bug in checking the return value of the nice()
3418 function (Ian Pilcher).
3419 * Bug fix in new FreeBSD IPv6 over TUN code which was
3420 originally added in 1.6-beta5 (Nathanael Rensen).
3421 * More Socks5 fixes -- extended the struct frame
3422 infrastructure to accomodate proxy-based encapsulation
3424 * Added --dhcp-option to Windows version for setting
3425 adapter properties such as WINS & DNS servers.
3426 * Use a default route-delay of 5 seconds when
3427 --ip-win32 dynamic is specified (only applicable when
3428 --route-delay is not explicitly specified).
3429 * Added "log_append" registry variable to control
3430 whether the OpenVPN service wrapper on Windows
3431 opens log files in append (log_append="1") or
3432 truncate (log_append="0") mode. The default
3435 2004.02.05 -- Version 1.6-beta6
3437 * UDP over Socks5 fix to accomodate Socks5 encapsulation
3438 overhead (Christof Meerwald).
3439 * Minor --ip-win32 dynamic tweaks (use long lease time,
3440 invalidate existing lease with DHCPNAK).
3442 2004.02.01 -- Version 1.6-beta5
3444 * Added Socks5 proxy support (Christof Meerwald).
3445 * IPv6 tun support for FreeBSD (Thomas Glanzmann).
3446 * Special TAP-Win32 debug mode for Windows self-install that was
3447 enabled in beta4 is now turned off.
3448 * Added some new Solaris notes to INSTALL (Koen Maris).
3449 * More work on --ip-win32 dynamic.
3451 2004.01.27 -- Version 1.6-beta4
3453 * For this beta, the Windows self-install is a debug version
3454 and will run slower -- use only for testing.
3455 * Reverted the --ip-win32 default back to 'ipapi'
3457 * Added the offset parameter to '--ip-win32 dynamic' which
3458 can be used to control the address of the masqueraded
3459 DHCP server which replies to Windows DHCP requests.
3460 * Added a wait/nowait option to --inetd (nowait can only
3461 be used with TCP sockets, TLS authentication, and over
3462 a bridged configuration -- see FAQ for more info)
3463 (Stefan `Sec` Zehl).
3464 * Added a build-time capability where TAP-Win32 driver
3465 debug messages can be output by OpenVPN at --verb 6
3468 2004.01.20 -- Version 1.6-beta2
3470 * Added ./configure --enable-iproute2 flag which
3471 uses iproute2 instead of route + ifconfig --
3472 this is necessary for the LEAF Linux distro
3474 * Added renewal-time and rebind-time to set of
3475 DHCP options returned by the TAP-Win32 driver when
3476 "--ip-win32 dynamic" is used.
3478 2004.01.14 -- Version 1.6-beta1
3480 * Fixed --proxy bug that sometimes caused plaintext
3481 control info generated by the proxy prior to http
3482 CONNECT method establishment to be incorrectly
3483 parsed as OpenVPN data.
3484 * For Windows version, implemented the
3485 "--ip-win32 dynamic" method and made it the default.
3486 This method sets the TAP-Win32 adapter IP address
3487 and netmask by replying to the kernel's DHCP queries.
3488 See the man page for more detailed info.
3489 * Added --connect-retry parameter which controls
3490 the time interval (in seconds) between connect()
3491 retries when --proto tcp-client is used. Previously,
3492 this value was hardcoded to 5 seconds, and still
3494 * --resolv-retry can now be used with a parameter
3495 of "infinite" to retry indefinitely.
3496 * Added SSL_CTX_use_certificate_chain_file() to ssl.c
3497 for support of multi-level certificate chains
3499 * Fixed --tls-auth incompatibility with 1.4.x and earlier
3500 versions of OpenVPN when the passphrase file is an
3501 OpenVPN static key file (as generated by --genkey).
3502 * Added shell-escape support in config files using
3503 the backslash character ("\") so that (for example)
3504 double quotes can be passed to the shell.
3505 * Added "contrib" subdirectory on tarball, source zip,
3506 and CVS containing user-submitted contributions.
3507 * Added an optional patch to the Redhat init script to
3508 allow the configuration file directory to be a
3509 multi-level directory hierarchy (Farkas Levente).
3510 See contrib/multilevel-init.patch
3511 * Added some scripts and documentation on using
3512 Linux "fwmark" iptables rules to enable
3513 fine-grained routing control over the VPN
3514 (Sean Reifschneider, <jafo@tummy.com>).
3515 See contrib/openvpn-fwmarkroute-1.00
3517 2003.11.20 -- Version 1.5.0
3519 * Minor documentation changes.
3521 2003.11.04 -- Version 1.5-beta14
3523 * Fixed build problem with ./configure --disable-ssl
3524 that was reported on Debian woody.
3525 * Fixed bug where --redirect-gateway could not be used
3526 together with --resolv-retry.
3528 2003.11.03 -- Version 1.5-beta13
3530 * Added CRL (certificate revocation list) capability using
3531 --crl-verify option (Stefano Bracalenti).
3532 * Added --replay-window option for variable replay-protection
3534 * Fixed --fragment bug which might have caused certain large
3535 packets to be sent unfragmented.
3536 * Modified --secret and --tls-auth to permit different cipher and
3537 HMAC keys to be used for each data flow direction. Also
3538 increased static key file size generated by --genkey from
3539 1024 to 2048 bits, where 512 bits each are reserved for
3540 send-HMAC, encrypt, receive-HMAC, and decrypt. Key file forward
3541 and backward compatibility is maintained. See --secret option
3542 documentation on the man page for more info.
3543 * Added --tls-remote option (Teemu Kiviniemi).
3544 * Fixed --tls-cipher documention regarding correct delimiter
3545 usage (Teemu Kiviniemi).
3546 * Added --key-method option for selecting alternative data
3547 channel key negotiation methods. Method 1 is the default.
3548 Method 2 has been added (see man page for more info).
3549 * Added French translation of HOWTO to web site
3550 (Guillaume Lehmann).
3551 * Fixed problem caused by late resolver library load on
3552 certain platforms when --resolv-retry and --chroot are
3553 used together (Teemu Kiviniemi).
3554 * In TCP mode, all decryption or TLS errors will abort the current
3555 connection (this is not done in UDP mode because UDP is
3557 * Fixed a TCP client reconnect bug that only occurs on the
3558 BSDs, where connect() fails with an invalid argument. This
3559 bug was partially (but not completely) fixed in beta7.
3560 * Added "route_net_gateway" environmental variable which contains
3561 the pre-existing default gateway address from the routing table
3562 (there's no standard API for getting the default gateway, so
3563 right now this feature only works on Windows or Linux).
3564 * Renamed the "route_default_gateway" enviromental variable to
3565 "route_vpn_gateway" -- this is the remote VPN endpoint.
3566 * The special keywords vpn_gateway, net_gateway, and remote_host
3567 can now be used for the network or gateway components of the
3568 --route option. See the man page for more info.
3569 * Added the --redirect-gateway option to configure the VPN
3570 as the default gateway (implemented on Linux and Windows only).
3571 * Added the --http-proxy option with basic authentication
3572 support for use in TCP client mode. Successfully tested
3573 using Squid as the HTTP proxy, with and without authentication.
3575 2003.10.12 -- Version 1.5-beta12
3577 * Fixed Linux-only bug in --mktun and --rmtun which was
3578 introduced around beta8 or so, which would cause
3579 an error such as "I don't recognize device tun0 as a
3580 tun or tap device1".
3581 * Added --ifconfig-nowarn option to disable options
3582 consistency warnings about --ifconfig parameters.
3583 * Don't allow any kind of sequence number backtracking or
3584 message reordering when in TCP mode.
3585 * Changed beta naming convention to use '_' (underscore)
3586 rather than '-' (dash) to pacify rpmbuild.
3588 2003.10.08 -- Version 1.5-beta11
3590 * Modified code in the Windows version which sets the IP address
3591 and netmask of the TAP-Win32 adapter using the IP Helper API.
3592 Most of the changes involve better error recovery when
3593 the IP Helper API returns an error status. See the
3594 manual page entry on --ip-win32 for more info.
3596 2003.10.08 -- Version 1.5-beta10
3598 * Added getpass() function for Windows version so that --askpass
3599 option works correctly (Stefano Bracalenti).
3600 * Added reboot advisory to end of Win32 install script.
3601 * Changed crypto code to use pseudo-random IVs rather than
3602 carrying forward the IV state from the previous packet.
3603 This is in response to item 2 in the following document:
3604 http://www.openssl.org/~bodo/tls-cbc.txt which points
3605 out weaknesses in TLS's use of the same IV carryforward
3606 approach. This change does not break protocol compatibility
3607 with previous versions of OpenVPN.
3608 * Made a change to the crypto replay protection code to also
3609 protect against certain kinds of packet reordering attacks.
3610 This change does not break protocol compatibility with
3611 previous versions of OpenVPN.
3612 * Added --ip-win32 option to provide several choices for
3613 setting the IP address on the TAP-Win32 adapter.
3614 * #ifdefed out non-CBC crypto modes by default.
3615 * Added --up-delay option to delay TUN/TAP open and --up script
3616 execution until after connection establishment. This option
3617 replaces the earlier windows-only option --tap-delay.
3619 2003.10.01 -- Version 1.5-beta9
3621 * Fixed --route-noexec bug where option was not parsed correctly.
3622 * Complain if --dev tun is specified without --ifconfig on Windows.
3623 * Fixed bug where TCP connections on windows would sometimes cause
3624 an assertion failure.
3625 * Added a new flag to TAP-Win32 advanced properties that allows one
3626 to set the adapter to be always "connected" even when an OpenVPN
3627 process doesn't have it open. The default behavior is to report
3628 a media status of connected only when an OpenVPN process has the
3630 * Rebuilt the Windows self-install distribution with OpenSSL 0.9.7c
3631 DLLs in response to an OpenSSL security advisory.
3633 2003.09.30 -- Version 1.5-beta8
3635 * Extended the --ifconfig option to work on tap devices as well
3637 * Implemented the --ifconfig option for Windows, by calling the
3639 * By default, do an "arp -d *" on Windows after TAP-Win32 open to
3640 refresh the MAC cache. This behaviour can be disabled with
3642 * On Windows, allow the --dev-node parameter (which specifies
3643 the name of the TAP-Win32 adapter) to be omitted in cases where
3644 there is a single TAP-Win32 adapter on the system which can be
3645 assumed to be the default.
3646 * Modified the diagnostic --verb 5 debugging level to print 'R'
3647 for TCP/UDP read, 'W' for TCP/UDP write, 'r' for TUN/TAP read,
3648 and 'w' for TUN/TAP write.
3649 * Conditionalize OpenBSD read_tun and write_tun based on tun or tap
3651 * Added IPv6 tun support to OpenBSD (Thomas Glanzmann).
3652 * Make the --enable-mtu-dynamic ./configure option enabled by
3654 * Deprecated the --mtu-dynamic run-time option, in favor of
3656 * DNS names can now be used as --ifconfig parameters.
3657 * Significant work on TAP-Win32 driver to bring up to SMP standards.
3658 * On Windows, fixed dangling IRP problem if TAP-Win32 driver is
3659 unloaded or disabled, while a user-space process has it open.
3660 * On Windows, if --tun-mtu is not specified, it will be read from
3661 the TAP-Win32 driver via ioctl.
3662 * On Windows, added TAP-Win32 driver status info to "F2" keyboard
3663 signal (only when run from a console window).
3664 * Added --mssfix option to control TCP MSS size (YANO Hirokuni).
3665 * Renamed --mtu-dynamic option to --fragment to more accurately
3666 reflect its function. Fragment accepts a single parameter which
3667 is the upper limit on acceptable UDP packet size.
3668 * Changed default --tun-mtu-extra parameter to 32 from 64.
3669 * Eliminated reference to malloc.o in configure.ac.
3670 * Added tun device emulation to the TAP-Win32 driver.
3671 * Added --route and related options.
3672 * Added init script for SuSE Linux (Frank Plohmann).
3673 * Extended option consistency check between peers to function
3674 in all crypto modes, including static-key and cleartext modes.
3675 Previously only TLS mode was supported. Disable with
3677 * Overall, increased the amount of configuration option sanity
3678 checking, especially of networking parameters.
3679 * Added --mtu-test option for empirical MTU measurement.
3680 * Added Windows-only option --tap-delay to not set the TAP-Win32
3681 adapter media state to 'connected' until TCP/UDP connection
3682 establishment with peer.
3683 * Slightly modified --route/--route-delay semantics so that when
3684 --route is given without --route-delay, routes are added
3685 immediately after tun/tap device open. When --route-delay is
3686 specified, routes will be added n seconds after connection
3687 initiation, where n is the --route-delay parameter (which
3689 * Made TCP framing error into a non-fatal error that triggers a
3692 2003.08.28 -- Version 1.5-beta7
3694 * Fixed bug that caused OpenVPN not to respond to exit/restart
3695 signals when --resolv-retry is used and a local or remote DNS
3696 name cannot be resolved.
3697 * Exported a series of environmental variables with useful
3698 info for scripts. See man page for more info. Based
3699 on a suggestion by Anthony Ciaravalo.
3700 * Moved TCP/UDP socket bind to a point in the initialization
3701 before the --up script gets called. This is desirable
3702 because (a) a socket bind failure will happen before
3703 daemonization, allowing an error status code to be returned
3704 to the shell and (b) the possibility is eliminated of a
3705 socket bind failure causing the --up script to be run
3706 but not the --down script. This change has a side effect
3707 that --resolv-retry will no longer work with --local.
3708 * Fixed bug where if an OpenVPN TCP server went down and back
3709 up again, Solaris or FreeBSD clients would fail to reconnect
3711 * Fixed bug that prevented OpenVPN from being run by
3712 inetd/xinetd in TCP mode.
3713 * Added --log and --log-append options for logging messages to
3715 * On Windows, check that the current user is a member of the
3716 Administrator group before attempting install or uninstall.
3718 2003.08.16 -- Version 1.5-beta6
3720 * Fixed TAP-Win32 driver to properly increment the Rx/Tx count.
3722 2003.08.14 -- Version 1.5-beta5
3724 * Added user-configurability of the TAP-Win32 adapter MTU
3725 through the adapter advanced properties page.
3726 * Added Windows Service support.
3727 * On Windows, added file association and right-clickability
3728 for .ovpn files (OpenVPN config files).
3730 2003.08.05 -- Version 1.5-beta4
3732 * Extra refinements and error checking added to Windows
3733 NSIS install script.
3735 2003.08.05 -- Version 1.5-beta3
3737 * Added md5.h include to crypto.c to fix build problem on
3739 * Created a Win32 installer using NSIS.
3740 * Removed DelService command from TAP-Win32 INF file. It appears
3741 to be not necessary and it interfered with the ability to
3742 uninstall and reinstall the driver without needing to reboot.
3743 * On Windows version, added "addtap" and "deltapall" batch
3744 files to add and delete TAP-Win32 adapter instances.
3746 2003.07.31 -- Version 1.5-beta2
3748 * Renamed INSTALL.w32 to INSTALL-win32.txt and reformatted
3749 in Windows ASCII so it's easier to click and view.
3750 * Added postscript and PDF versions of the HOWTO to the web
3752 * Merged Michael Clarke's stability patch into TAP-Win32
3753 driver which appears to fix the suspend/resume driver bug
3754 and significantly improve driver stability.
3755 * Added Christof Meerwald's Media Status patch to the
3756 TAP-Win32 driver which shows the TAP adapter to be
3757 disconnected when OpenVPN is not running.
3758 * Moved socket connect and TCP server listen code to a later
3759 point in openvpn() function so that the TCP server listen
3760 state is entered after daemonization.
3761 * Added keyboard shortcuts to simulate signals in the Windows
3762 version, see the window title bar for descriptions.
3764 2003.07.24 -- Version 1.5-beta1
3766 * Added TCP support via the new --proto option.
3767 * Renamed udp-centric options such as --udp-mtu to
3768 --link-mtu (old option names preserved for compatibility).
3769 * Ported to Windows 2000 + XP using mingw and a TAP driver
3770 derived from the Cipe-Win32 project by Damion K. Wilson.
3771 * Added --show-adapters flag for windows version.
3772 * Reworked the SSL/TLS packet acknowledge code to better
3773 handle certain corner cases.
3774 * Turned off the default enabling of IP forwarding in the
3775 sample-scripts/openvpn.init script for Redhat.
3776 Forwarding can be enabled by users in their --up scripts
3778 * Added --up-restart option based on suggestion from Sean
3780 * If --dev tap or --dev-type tap is specified, --tun-mtu
3781 defaults to 1500 and --tun-mtu-extra defaults to 64.
3782 * Enabled --verb 5 debugging mode that prints 'R' and 'W'
3783 for each packet read or write on the TCP/UDP socket.
3785 2003.08.04 -- Version 1.4.3
3787 * Added md5.h include to crypto.c
3788 to fix build problem on OpenBSD.
3790 2003.07.15 -- Version 1.4.2
3792 * Removed adaptive bandwidth from
3793 --mtu-dynamic -- its absence appears
3794 to work better than its existence (1.4.1.2).
3795 * Minor changes to --shaper to fix long
3796 retransmit timeouts at low bandwidth
3798 * Added LOG_RW flag to openvpn.h for
3799 debugging (1.4.1.2).
3800 * Silenced spurious configure warnings (1.4.1.2).
3801 * Backed out --dev-name patch, modified --dev
3802 to offer equivalent functionality (1.4.1.4).
3803 * Added an optional parameter to --daemon and
3804 --inetd to support the passing of a custom
3805 program name to the system logger (1.4.1.5).
3806 * Add compiled-in options to the program title
3808 * Coded the beginnings of a WIN32 port (1.4.1.5).
3809 * Succeeded in porting to Win32 Mingw environment
3810 and running loopback tests (1.4.1.6). Still
3811 need a kernel driver for full Win32
3813 * Fixed a bug in error.h where
3814 HAVE_CPP_VARARG_MACRO_GCC was misspelled.
3815 This would have caused a significant slowdown
3816 of OpenVPN when built by compilers that
3817 lack ISO C99 vararg macros (1.4.1.6).
3818 * Created an init script for Gentoo Linux
3819 in ./gentoo directory (1.4.1.6).
3821 2003.05.15 -- Version 1.4.1
3823 * Modified the Linux 2.4 TUN/TAP open code to
3824 fall back to the 2.2 TUN/TAP interface if the
3825 open or ioctl fails.
3826 * Fixed bug when --verb is set to 0 and non-fatal
3827 socket errors occur, causing 100% CPU utilization.
3828 Occurs on platorms where
3829 EXTENDED_SOCKET_ERROR_CAPABILITY is defined,
3831 * Fixed typo in tun.c that was preventing
3833 * Added --enable-mtu-dynamic configure option
3834 to enable --mtu-dynamic experimental option.
3836 2003.05.07 -- Version 1.4.0
3838 * Added --replay-persist feature to allow replay
3839 protection across sessions.
3840 * Fixed bug where --ifconfig could not be used
3842 * Added --tun-mtu-extra parameter to deal with
3843 the situation where a read on a TUN/TAP device
3844 returns more data than the device's MTU size.
3845 * Fixed bug where some IPv6 support code for
3846 Linux was not being properly ifdefed out for
3847 Linux 2.2, causing compile errors.
3848 * Added OPENVPN_EXIT_STATUS_x codes to
3849 openvpn.h to control which status value
3850 openvpn returns to its caller (such as
3851 a shell or inetd/xinetd) for various conditions.
3852 * Added OPENVPN_DEBUG_COMMAND_LINE flag to
3853 openvpn.h to allow debugging in situations
3854 where stdout, stderr, and syslog cannot be used
3855 for message output, such as when OpenVPN is
3856 instantiated by inetd/xinetd.
3857 * Removed owner-execute permission from file
3858 created by static key generator (Herbert Xu
3859 and Alberto Gonzalez Iniesta).
3860 * Added --passtos option to allow IPv4 TOS bits
3861 to be passed from TUN/TAP input packets to
3862 the outgoing UDP socket (Craig Knox).
3863 * Added code to prevent open socket file descriptors
3864 from being accessible to called scripts.
3865 * Added --dev-name option (Christian Lademann).
3866 * Added --mtu-disc option for manual control
3868 * Show OS MTU value on UDP socket write failures
3870 * Numerous build system and portability
3871 fixes (Matthias Andree).
3872 * Added better sensing of compiler support for
3873 variable argument macros, including (a) gcc
3874 style, (b) ISO C 1999 style, and (c) no support.
3875 * Removed generated files from CVS. Note INSTALL
3876 file for new CVS build commands.
3877 * Changed certain internal symbol names
3878 for C standards compliance.
3879 * Added TUN/TAP open code to cycle dynamically
3880 through unit numbers until it finds a free
3881 unit (based on code from Thomas Gielfeldt
3883 * Added dynamic MTU and fragmenting infrastructure
3884 (Experimental). Rebuild with FRAGMENT_ENABLE
3886 * Minor changes to SSL/TLS negotiation, use
3887 exponential backoff on retransmits, and use
3888 a smaller MTU size (note that no protocol
3889 changes have been made which would break
3890 compatibility with 1.3.x).
3891 * Added --enable-strict-options flag
3892 to ./configure. This option will cause
3893 a more strict check for options compatibility
3894 between peers when SSL/TLS negotiation is used,
3895 but should only be used when both OpenVPN peers
3896 are of the same version.
3897 * Reorganization of debugging levels.
3898 * Added a workaround in configure.ac for
3899 default SSL header location on Linux
3900 to fix RH9 build problem.
3901 * Fixed potential deadlock when pthread support
3902 is used on OSes that allocate a small socketpair()
3904 * Fixed openvpn.init to be sh compliant
3906 * Changed --daemon to wait until all
3907 initialization is finished before becoming a
3908 daemon, for the benefit of initialization
3909 scripts that want a useful return status from
3910 the openvpn command.
3911 * Made openvpn.init script more robust, including
3912 positive indication of initialization errors
3913 in the openvpn daemon and better sanity checks.
3914 * Changed --chroot to wait until initialization
3915 is finished before calling chroot(), and allow
3916 the use of --user and --group with --chroot.
3917 * When syslog logging is enabled (--daemon or
3918 --inetd), set stdin/stdout/stderr to point
3920 * For inetd instantiations, dup socket descriptor
3922 * Fixed bug in verify-cn script, where test would
3923 incorrectly fail if CN=x was the last component
3924 of the X509 composite string (Anonymous).
3925 * Added Markus F.X.J. Oberhumer's special
3926 license exception to COPYING.
3928 2002.10.23 -- Version 1.3.2
3930 * Added SSL_CTX_set_client_CA_list call
3931 to follow the canonical form for TLS initialization
3932 recommended by the OpenSSL docs. This change allows
3933 better support for intermediate CAs and has no impact
3935 * Added build-inter script to easy-rsa package, to
3936 facilitate the generation of intermediate CAs.
3937 * Ported to NetBSD (Dimitri Goldin).
3938 * Fixed minor bug in easy-rsa/sign-req. It refers to
3939 openssl.cnf file, instead of $KEY_CONFIG, like all
3940 other scripts (Ernesto Baschny).
3941 * Added --days 3650 to the root CA generation command
3942 in the HOWTO to override the woefully small 30 day
3943 default (Dominik 'Aeneas' Schnitzer).
3944 * Fixed bug where --ping-restart would sometimes
3945 not re-resolve remote DNS hostname.
3946 * Added --tun-ipv6 option and related infrastructure
3947 support for IPv6 over tun.
3948 * Added IPv6 over tun support for Linux (Aaron Sethman).
3949 * Added FreeBSD 4.1.1+ TUN/TAP driver notes to
3950 INSTALL (Matthias Andree).
3951 * Added inetd/xinetd support (--inetd) including
3952 documentation in the HOWTO.
3953 * Added "Important Note on the use of commercial certificate
3954 authorities (CAs) with OpenVPN" to HOWTO based on
3955 issues raised on the openvpn-users list.
3957 2002.07.10 -- Version 1.3.1
3959 * Fixed bug in openvpn.spec and openvpn.init
3960 which caused RPM upgrade to fail.
3962 2002.07.10 -- Version 1.3.0
3964 * Added --dev-node option to allow explicit selection of
3965 tun/tap device node.
3966 * Removed mlockall call from child thread, as it doesn't
3967 appear to be necessary (child thread inherits mlockall
3969 * Added --ping-timer-rem which causes timer for --ping-exit
3970 and --ping-restart not to run unless we have a remote IP
3972 * Added condrestart to openvpn.init and openvpn.spec
3974 * Added --ifconfig case for FreeBSD (Matthias Andree).
3975 * Call openlog with facility=LOG_DAEMON (Matthias Andree).
3976 * Changed LOG_INFO messages to LOG_NOTICE.
3977 * Added warning when key files are group/others accessible.
3978 * Added --single-session flag for TLS mode.
3979 * Fixed bug where --writepid would segfault if used with
3980 an invalid filename.
3981 * Fixed bug where --ipchange status message was formatted
3983 * Print more concise error message when system() call
3985 * Added --disable-occ option.
3986 * Added --local, --remote, and --ifconfig options sanity
3988 * Changed default UDP MTU to 1300 and TUN/TAP MTU to
3990 * Successfully tested with OpenSSL 0.9.7 Beta 2.
3991 * Broke out debug level definitions to errlevel.h
3992 * Minor documentation and web site changes.
3993 * All changes maintain protocol compatibility
3994 with OpenVPN versions since 1.1.0, however default
3995 MTU changes will require setting the MTU explicitly
3996 by command line option, if you want 1.3.0 to
3997 communicate with previous versions.
3999 2002.06.12 -- Version 1.2.1
4001 * Added --ping-restart option to restart
4002 connection on ping timeout using SIGUSR1
4003 logic (Matthias Andree).
4004 * Added --persist-tun, --persist-key,
4005 --persist-local-ip, and --persist-remote-ip
4006 options for finer-grained control over SIGUSR1
4007 and --ping-restart restarts. To
4008 replicate previous SIGUSR1 functionality,
4009 use --persist-remote-ip.
4010 * Changed residual IV fetching code to take
4011 IV from tail of ciphertext.
4012 * Added check to make sure that CFB or OFB
4013 cipher modes are only used with SSL/TLS
4014 authentication mode, and added a caveat
4016 * Changed signal handling during initialization
4017 (including re-initialization during restarts)
4018 to exit on SIGTERM or SIGINT and ignore other
4019 signals which would ordinarily be caught.
4020 * Added --resolv-retry option to allow
4021 retries on hostname resolution.
4022 * Expanded the --float option to also
4023 allow dynamic changes in source port number
4024 on incoming datagrams.
4025 * Added --mute option to limit repetitive
4026 logging of similar message types.
4027 * Added --group option to downgrade GID
4028 after initialization.
4029 * Try to set ifconfig path automatically
4031 * Added --ifconfig code for Mac OS X
4032 (Christoph Pfisterer).
4033 * Moved "Peer Connection Initiated" message
4035 * Successfully tested with
4036 OpenSSL 0.9.7 Beta 1 and AES cipher.
4037 * Added RPM notes to INSTALL.
4038 * Added ACX_PTHREAD (from the autoconf
4039 macro archive) to configure.ac
4040 to figure out the right pthread
4041 options for a given platform.
4042 * Broke out macro definitions from
4043 configure.ac to acinclude.m4.
4044 * Minor changes to docs and HOWTO.
4045 * All changes maintain protocol compatibility
4046 with OpenVPN versions since 1.1.0.
4048 2002.05.22 -- Version 1.2.0
4050 * Added configuration file support via
4051 the --config option.
4052 * Added pthread support to improve latency.
4053 With pthread support, OpenVPN
4054 will offload CPU-intensive tasks such as RSA
4055 key number crunching to a background thread
4056 to improve tunnel packet forwarding
4057 latency. pthread support can be enabled
4058 with the --enable-pthread configure option.
4059 Pthread support is currently available
4060 only for Linux and Solaris.
4061 * Added --dev-type option so that tun/tap
4062 device names don't need to begin with
4064 * Added --writepid option to write main
4065 process ID to a file.
4066 * Numerous portability fixes to ease
4067 porting to other OSes including changing
4068 all network types to uint8_t and uint32_t,
4069 and not assuming that time_t is 32 bits.
4070 * Backported to OpenSSL 0.9.5.
4071 * Ported to Solaris.
4072 * Finished OpenBSD port except for
4074 * Added initialization script:
4075 sample-scripts/openvpn.init
4077 * Ported to Mac OS X (Christoph Pfisterer).
4078 * Improved resilience to DoS attacks when
4079 TLS mode is used without --remote or
4080 --tls-auth, or when --float is used
4081 with --remote. Note however that the best
4082 defense against DoS attacks in TLS mode
4083 is to use --tls-auth.
4084 * Eliminated automake/autoconf dependency
4086 * Ported configure.in to configure.ac
4088 * SIGHUP signal now causes OpenVPN to restart
4089 and re-read command line and or config file,
4090 in conformance with canonical daemon behaviour.
4091 * SIGUSR1 now does what SIGHUP did in
4092 version 1.1.1 and earlier -- close and reopen
4093 the UDP socket for use when DHCP changes
4094 host's IP address and preserve most recently
4095 authenticated peer address without rereading
4097 * SIGUSR2 added -- outputs current statistics,
4098 including compression statistics.
4099 * All changes maintain protocol compatibility
4100 with 1.1.1 and 1.1.0.
4102 2002.04.22 -- Version 1.1.1
4104 * Added --ifconfig option to automatically configure
4106 * Added inactivity disconnect (--inactive
4107 and --ping-exit options).
4108 * Added --ping option to keep stateful firewalls
4110 * Added sanity check to command line parser to
4111 err if any TLS options are used in non-TLS mode.
4112 * Fixed build problem with compiler environments that
4113 define printf as a macro.
4114 * Fixed build problem on linux systems that have
4115 an integrated TUN/TAP driver but lack the persistent
4116 tunnel feature (TUNSETPERSIST). Some linux kernels
4117 >= 2.4.0 and < 2.4.7 fall into this category.
4118 * Changed all calls to EVP_CipherInit to use explicit
4119 encrypt/decrypt mode in order to fix problem with
4120 IDEA-CBC and AES-256-CBC ciphers.
4121 * Minor changes to control channel transmit limiter
4122 algorithm to fix problem where TLS control channel
4123 might not renegotiate within the default 60 second window.
4124 * Simplified man page examples by taking advantage
4125 of the new --ifconfig option.
4126 * Minor changes to configure.in to check more
4127 rigourously for OpenSSL 0.9.6 or greater.
4128 * Put back openvpn.spec, eliminated
4130 * Modified openvpn.spec to reflect new automake-based
4131 build environment (Bishop Clark).
4132 * Other documentation changes.
4133 * Added --test-crypto option for debugging.
4134 * Added "missing" and "mkinstalldirs" automake
4138 2002.04.09 -- Version 1.1.0
4140 * Strengthened replay protection and IV handling,
4141 extending it fully to both static key and
4142 TLS dynamic key exchange modes.
4143 * Added --mlock option to disable paging and ensure that key
4144 material and tunnel data is never paged to disk.
4145 * Added optional traffic shaping feature to cap the maximum
4146 data rate of the tunnel.
4147 * Converted to automake (The Platypus Brothers 2002-04-01).
4148 * Ported to OpenBSD by Janne Johansson.
4149 * Added --tun-af-inet option to work around an incompatibility
4150 between Linux and BSD tun drivers.
4151 * Sequence number-based replay protection using the
4152 IPSec sliding window model is now the default,
4153 disable with --no-replay.
4154 * Explicit IV is now the default, disable with --no-iv.
4155 * Disabled all cipher modes except CBC, CFB, and OFB.
4156 * In CBC mode, use explicit IV and carry forward residuals,
4158 * In CFB/OFB mode, IV is timestamp, sequence number.
4159 * Eliminated --packet-id, --timestamp, and max-delta parameter to
4160 the --tls-auth option as they are now supplanted by improved
4161 replay code which is enabled by default.
4162 * Eliminated --rand-iv as it is now obsolete with improved
4164 * Eliminated --reneg-err option as it increases vulnerability
4166 * Added weak key check for DES ciphers.
4167 * --tls-freq option is no longer specified on the command line,
4168 instead it now inherits its parameter from the
4169 --tls-timeout option.
4170 * Fixed bug that would try to free memory on exit that was
4171 never malloced if --comp-lzo was not specified.
4172 * Errata fixed in the man page examples: "test-ca" should be
4174 * Updated manual page.
4175 * Preliminary work in porting to OpenSSL 0.9.7.
4176 * Changed license to allowing linking with OpenSSL.
4178 2002.03.29 -- Version 1.0.3
4180 * Fixed a problem in configure with library ordering on the
4183 2002.03.28 -- Version 1.0.2
4185 * Improved the efficiency of the inner event loop.
4186 * Fixed a minor bug with timeout handling.
4187 * Improved the build system to build on RH 6.2 through 7.2.
4188 * Added an openvpn.spec file for RPM builders (Bishop Clark).
4190 2002.03.23 -- Version 1.0
4192 * Added TLS-based authentication and key exchange.
4193 * Added gremlin mode to stress test.
4196 2001.12.26 -- Version 0.91
4198 * Added any choice of cipher or HMAC digest.
4200 2001.5.13 -- Version 0.90
4203 * IP tunnel over UDP, with blowfish cipher and SHA1 HMAC signature.